On June 15, 2016, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced that its multistakeholder process to develop a code of conduct regarding the commercial use of facial recognition technology had concluded with the group reaching a consensus on a best practices document. As we previously reported, the NTIA announced the multistakeholder process in December 2013 in response to the White House’s February 2012 privacy framework, which directed the NTIA to oversee the development of codes of conduct that specify how the Consumer Privacy Bill of Rights applies in specific business contexts.
TCCWNA. The very acronym evokes head scratches and sighs of angst and frustration among many lawyers in the retail industry. You have probably heard about it. You may have even been warned about it. And you may currently be trying to figure out how best to minimize your risk and exposure this very moment. But what is it and why has virtually every retailer been hit with a TCCWNA class action demand letter or lawsuit in the past few months? And why are most retailers scrambling to update the terms and conditions of their websites?
On June 8, 2016, the Federal Trade Commission announced that Practice Fusion, an electronic health records company, agreed to settle FTC charges that the company misled consumers about the privacy of doctor reviews submitted to the company.
The Federal Trade Commission announced that it will host a workshop on September 15, 2016, “Putting Disclosures to the Test,” on the efficacy and costs of consumer disclosures in advertising and privacy policies. Planned discussion topics include examining disclosures meant to avoid deception in advertising, disclosures designed to inform consumers of data tracking, and industry-specific disclosures for jewelry, environmental and fuel-saving claims. The workshop is open to the public and will take place at the FTC’s Constitution Center offices in Washington, D.C ...
On June 1, 2016, a new do-not-call list (the “BLOCTEL list”) was implemented in France. French residents who do not wish to receive marketing phone calls may register their landline or mobile phone number online at www.bloctel.gouv.fr.
As we previously reported, the Supreme Court’s decision in Spokeo v. Robins has been nearly universally lauded by defense counsel as a new bulwark against class actions alleging technical violations of federal statutes. It may be that. But Spokeo also poses a significant threat to defendants by defeating their ability to remove exactly the types of cases that defendants most want in federal court. The decision circumscribes the federal jurisdiction, with all its advantages, that defendants have enjoyed under Class Action Fairness Act (“CAFA”) for the past decade.
On May 9, 2016, the Federal Trade Commission announced it had issued Orders to File a Special Report (“Orders”) to eight mobile device manufacturers requiring them to, for purposes of the FTC’s ongoing study of the mobile ecosystem, provide the FTC with “information about how [the companies] issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.” The FTC’s authority to issue such Orders comes from Section 6(b) of the FTC Act.
On May 4, 2016, the Federal Trade Commission issued a press release announcing its recent settlement with the hand-held vaporizers manufacturer, Very Incognito Technologies, Inc. (“Vipvape”). The FTC had charged Vipvape with falsely claiming that it was a certified company under the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules (“CBPR”) framework. The settlement prohibits Vipvape from misleading consumers about its participation in any privacy and security certification program, including the APEC CBPR framework. This is the first CBPR-related case taken up by the FTC.
On April 13, 2016, Nebraska Governor Pete Ricketts signed into law LB 835 (the “Bill”), which among other things, adds a regulator notification requirement and broadens the definition of “personal information” in the state’s data breach notification statute, Neb. Rev. Stat. §§ 87-802 to 87-804. The amendments take effect on July 20, 2016.
In its third simulated test of the security of the power grid, the North American Reliability Corporation (“NERC”) reported general progress across the electric utility industry in defending against physical and cyber threats, while also identifying several areas for further improvement.
The NERC exercise, dubbed GridEx III, took place over two days in November 2015 and involved more than 4,400 individuals from 364 industry, law enforcement and government organizations across the United States, Canada and Mexico. The main objectives of the exercise were to test crisis response and recovery, improve communication, identify problem areas and engage senior-level leadership in the organizations involved.
On April 6, 2016, the Federal Trade Commission formally welcomed the updated Recommendation on Consumer Protection in E-commerce (the “Recommendation”) issued by the Organization for Economic Cooperation and Development (“OECD”) on March 24, 2016, endorsing the Recommendation’s broadened scope and increased consumer protections that “are designed to strengthen consumers’ trust in the expanding electronic marketplace.”
On March 24, 2016, Tennessee Governor Bill Haslam signed into law S.B. 2005, as amended by Amendment No. 1 to S.B. 2005 (the “Bill”), which makes a number of changes to the state’s data breach notification statute, Tenn. Code § 47-18-2107. The amendments take effect on July 1, 2016.
On March 18, 2016, a report was released by a joint team from the North American Electric Reliability Corporation’s Electricity Information Sharing Analysis Center and SANS Industrial Control Systems. According to the report, the cyber attack against a Ukrainian electric utility in December 2015 that caused 225,000 customers to lose power for several hours was based on months of undetected reconnaissance that gave the attackers a sophisticated understanding of the utility’s supervisory control and data acquisition networks.
On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) reached a settlement with Dwolla, Inc. (“Dwolla”), an online payment system company, to resolve claims that the company made false representations regarding its data security practices in violation of the Consumer Financial Protection Act. Among other things, the consent order imposes a $100,000 fine on Dwolla. This marks the first data security-related fine imposed by the CFPB.
On February 23, 2016, the Federal Trade Commission announced that it reached a settlement with Taiwanese-based network hardware manufacturer ASUSTeK Computer, Inc. (“ASUS”), to resolve claims that the company engaged in unfair and deceptive security practices in connection with developing network routers and cloud storage products sold to consumers in the U.S.
On February 16, 2016, California Attorney General Kamala D. Harris released the California Data Breach Report 2012-2015 (the “Report”) which, among other things, provides (1) an overview of businesses’ responsibilities regarding protecting personal information and reporting data breaches and (2) a series of recommendations for businesses and state policy makers to follow to help safeguard personal information.
A federal judge of the U.S. District Court for the Northern District of Illinois denied Neiman Marcus’ motion to dismiss in Remijas et al. v. Neiman Marcus Group, LLC, 1:14-cv-01735. As we previously reported, the Seventh Circuit reversed Judge James B. Zagel’s earlier decision dismissing the class action complaint based on Article III standing. At that time the Seventh Circuit declined to analyze dismissal under Federal Rule of Civil Procedure 12(b)(6) due to, among other reasons, the district court’s focus on standing.
On December 28, 2015, the People's Bank of China published Administrative Measures for Online Payment Business of Non-bank Payment Institutions (the “Measures”). The Measures were enacted to provide further details on the regulation of online payment businesses, in supplement to the earlier Administrative Measures for the Payment Services of Non-financial Institutions (the “2010 Measures”), published by the People's Bank of China on June 14, 2010. The 2010 Measures regulated the conduct of all payment services, including both online payment methods and three other types of payment methods, by all types of Non-bank Payment Institutions (“NBPIs”). The newer Measures are more focused and apply only to online payment methods, and only to NBPIs which have already obtained a Payment Business License and are engaged in an online payment business.
On January 5, 2016, the Federal Trade Commission announced that dental office management software provider, Henry Schein Practice Solutions, Inc. (“Schein”), agreed to settle FTC charges that accused the company of falsely advertising the level of encryption it used to protect patient data. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company engaged in unfair or deceptive acts or practices by falsely representing that the Dentrix G5 software used industry-standard encryption and helped dentists protect patient data in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
Late last year the Federal Trade Commission issued enforcement guidance on “native advertising” — ads that purposely are formatted to appear as noncommercial and are integrated into surrounding editorial content. The agency’s guidance took two parts: an Enforcement Policy Statement on deceptively formatted ads, and a Guide for Business on native advertising. These long-awaited guidance documents follow on the FTC’s December 2013 “Blurred Lines” workshop on native advertising. Importantly, the FTC notes that its policy statement does not apply just to advertisers but also to other parties that help create the content: ad agencies, ad networks and potentially, publishers.
On December 15, 2015, the California Attorney General announced an approximately $25 million settlement with Comcast Cable Communications, LLC (“Comcast”) stemming from allegations that Comcast disposed of electronic equipment (1) without properly deleting customer information from the equipment and (2) in landfills that are not authorized to accept electronic equipment. The settlement must be approved by a California judge before it is finalized.
On December 21, 2015, the Federal Trade Commission announced software company Oracle Corporation (“Oracle”) has agreed to settle FTC charges that accused the company of misrepresenting the security of its software updates. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company had deceived consumers about the security provided by updates to the Java Platform, Standard Edition software (“Java SE”).
On December 17, 2015, the German Federal Diet (Bundestag) adopted a draft law introducing class action-like claims that will enable consumer protection associations to sue companies for violations of German data protection law.
On December 17, 2015, the Federal Trade Commission announced that LifeLock, Inc. (“LifeLock”) has agreed to pay $100 million to settle contempt charges for deceptive advertising. According to the FTC, “[t]his is the largest monetary award obtained by the Commission in an order enforcement action.” Under the terms of the settlement, $68 million of the settlement amount will be paid to class action consumers who were injured by the identity theft protection company’s violation of a 2010 settlement with the FTC that required LifeLock to protect consumer information. The rest of the money will be used for settlements with state attorneys general, and any remaining money will go to the FTC. The case is Federal Trade Commission v. LifeLock Inc., et al. (2:10-cv-00530), in the U.S. District Court for the District of Arizona.
On December 16, 2015, leaders in the U.S. House of Representatives and Senate released a $1.1 trillion omnibus spending bill that contained cybersecurity information sharing language that is based on a compromise between the Cybersecurity Information Sharing Act, which passed in the Senate in October, and two cybersecurity information sharing bills that passed in the House earlier this year. Specifically, the omnibus spending bill included Division N, the Cybersecurity Act of 2015 (the "Act").
On December 9, 2015, the Federal Trade Commission announced that Wyndham Worldwide Corporation (“Wyndham”) settled charges brought by the FTC stemming from allegations that the company unfairly failed to maintain reasonable data security practices. The case is FTC v. Wyndham Worldwide Corporation, et al. (2:13-CV-01887-ES-JAD) in the U.S. District Court for the District of New Jersey.
On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) into law. The FAST Act, which is aimed at improving the country’s surface transportation infrastructure, contains a provision that modifies the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLBA”).
On November 16, 2015, the Legislative Affairs Office of the State Council of the People's Republic of China published a draft Regulation for Couriers (the “Regulation”) and requested public comment on the Regulation. Interested parties have until mid-December 2015 to submit comments on the Regulation. The Regulation comes at a time when courier services and online shopping are growing steadily in China. Under the Regulation, the sender of a parcel will be required to fill in his or her real name and address, the telephone numbers of both the sender and the recipient, as well as the name, quantity and nature of the object being couriered.
On November 5, 2015, the Enforcement Bureau of the Federal Communications Commission (“FCC”) entered into a Consent Decree with cable operator Cox Communications to settle allegations that the company failed to properly protect customer information when the company’s electronic data systems were breached in August 2014 by a hacker. The FCC alleged that Cox failed to properly protect the confidentiality of its customers’ proprietary network information (“CPNI”) and personally identifiable information, and failed to promptly notify law enforcement authorities of security breaches involving CPNI in violation of the Communications Act of 1934 and FCC’s rules.
On November 13, 2015, Chief Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint against LabMD Inc. (“LabMD”) for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury. The law judge did not address LabMD’s claim that the FTC does not have jurisdiction to enforce data security standards under the unfairness prong of Section 5 of the FTC Act, and LabMD has reserved its jurisdictional challenge for an anticipated appeal to the federal court. The action is In the Matter of LabMD Inc., Docket No. 9357.
On November 13, 2015, the French Data Protection Authority (“CNIL”) announced its decision in a case against Optical Center, imposing a fine of €50,000 on the company for violations related to the security and confidentiality of its customers’ personal data.
On November 2, 2015, Federal Communications Commission (“FCC”) Chairman, Tom Wheeler, indicated in an interview that the agency would take on the issue of broadband privacy within the next several months, most likely in the form of a notice of proposed rulemaking. Chairman Wheeler said that the FCC’s inquiry would look at the privacy practices of “those who provide the networks” (i.e., Internet service providers (“ISPs”)) and how such businesses are protecting their customers’ information.
On October 26, 2015, the Federal Trade Commission (“FTC”) issued a press release on the Global Privacy Enforcement Network (“GPEN”) Alert, a new multilateral information sharing system that would allow participating agencies to share information relating to an investigation in order to facilitate better cross-border coordination. The FTC, along with agencies from seven other nations, signed a Memorandum of Understanding at the 37th International Conference of Data Protection and Privacy Commissioners in Amsterdam. FTC Chairwoman Edith Ramirez stated that the “GPEN Alert is an important, practical cooperation tool that will help GPEN authorities protect consumer privacy across the globe.” Australia, Canada, Ireland, The Netherlands, New Zealand, Norway and the United Kingdom join the U.S. in their efforts to coordinate global consumer privacy protection.
On October 27, 2015, the U.S. Senate passed S.754 - Cybersecurity Information Sharing Act of 2015 (“CISA”) by a vote of 74 to 21. CISA is intended to facilitate and encourage the sharing of Internet traffic information between and among companies and the federal government to prevent cyber attacks, by giving companies legal immunity from antitrust and privacy lawsuits. CISA comes in the wake of numerous recent, high-profile cyber attacks.
On October 23, 2015, the United States District Court for the District of Minnesota, in large part, upheld Target’s assertion of the attorney-client privilege and work-product protections for information associated with a privileged, internal investigation of Target’s 2013 data breach.
The United States District Court for the Northern District of California recently dismissed―without prejudice―a former Uber driver’s class action complaint. The driver, Sasha Antman, was one of roughly 50,000 drivers whose personal information was exposed during a May 2014 data breach. Uber contended the accessed files contained only the affected individuals’ names and drivers’ license numbers.
On October 2, 2015, California Attorney General Kamala D. Harris announced that her office settled a lawsuit against home design website, Houzz Inc. (“Houzz”). Houzz was charged with secretly recording incoming and outgoing telephone calls for training and quality assurance purposes without notifying its customers, employees or call recipients, in violation of California eavesdropping and wiretapping laws. As part of the settlement, the Attorney General required Houzz to destroy the recordings, pay a fine of $175,000 and hire a Chief Privacy Officer to supervise its compliance with privacy laws and conduct privacy risk evaluations to assess Houzz’s privacy practices. This is the first time that the Attorney General has required the hiring of a Chief Privacy Officer as part of a settlement.
On October 1, 2015, the Court of Justice of the European Union (the “CJEU”) issued its judgment in Weltimmo v Nemzeti (Case C-230/14). Weltimmo, a company registered and headquartered in Slovakia, runs a website that allows property owners in Hungary to advertise their properties. The CJEU stated that, in some cases, Weltimmo had failed to delete the personal data of the advertisers upon request, and also had sent debt collectors to some advertisers despite their earlier attempts to cancel their accounts. The advertisers complained to the Hungarian Data Protection Authority (“DPA”), which investigated the matter and issued a fine of HUF 10 million (approximately 36,500 USD) against Weltimmo.
On September 17, 2015, the Seventh Circuit rejected Neiman Marcus’ petition for a rehearing en banc of Remijas v. Neiman Marcus Group, LLC, No. 14-3122. In Remijas, a Seventh Circuit panel found that members of a putative class alleged sufficient facts to establish standing to sue Neiman Marcus following a 2013 data breach that resulted in hackers gaining access to customers’ credit and debit card information. No judge in regular active service requested a vote on the rehearing petition. Additionally, all members of the original panel voted to deny rehearing. As we previously reported, and according to The Practitioner's Handbook for Appeals to the United States Court of Appeals for the Seventh Circuit, “it is more likely to have a petition for writ of certiorari granted by the Supreme Court than to have a request for en banc consideration granted” in the Seventh Circuit.
On September 22, 2015, the Securities and Exchange Commission (“SEC”) announced a settlement order (the “Order”) with an investment adviser for failing to establish cybersecurity policies and procedures, and published an investor alert (the “Alert”) entitled Identity Theft, Data Breaches, and Your Investment Accounts.
On September 15, 2015, Judge Magnuson of the U.S. District Court for the District of Minnesota certified a Federal Rule of Civil Procedure 23(b)(3) class of financial services institutions claiming damages from Target Corporation’s 2013 data breach. The class consists of “all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.”
On September 2, 2015, the Information Commissioner’s Office (the “ICO”) announced an investigation into the data sharing practices of charities in the United Kingdom. The announcement follows the publication of an article in a UK newspaper highlighting the plight of Samuel Rae, an elderly man suffering from dementia. In 1994, Rae completed a survey, which resulted in a charity collecting his personal data. The charity, in turn, allegedly shared his contact details with other charities, data brokers and third parties. Over the years, some of those charities and third parties are reported to have sent Rae hundreds of unwanted items of mail, requesting donations and, in some cases, attempting to defraud him. The legal basis on which Rae’s details were shared remains unclear, although the ICO has noted that the distribution may have resulted from a simple failure to tick an “opt-out” box on the survey.
On August 14 and August 26, 2015, the Conference of the Data Protection Commissioners of the Federal Government and the Federal States (Länder) issued a detailed position paper (“Position Paper”) and a press release on the main issues for the trilogue negotiations on the proposed EU General Data Protection Regulation (the “Regulation”). In the Position Paper and press release, the participating German Data Protection Commissioners (“German DPAs”) request the trilogue partners to focus on the following issues:
On July 30, 2015, the Bavarian Data Protection Authority (“DPA”) issued a press release stating that it imposed a significant fine on both the seller and purchaser in an asset deal for unlawfully transferring customer personal data as part of the deal.
On August 24, 2015, the United States Court of Appeals for the Third Circuit issued its opinion in Federal Trade Commission v. Wyndham Worldwide Corporation (“Wyndham”), affirming a district court holding that the Federal Trade Commission has the authority to regulate companies’ data security practices.
On August 11, 2015, the Online Trust Alliance, a nonprofit group whose goal is to increase online trust and promote the vitality of the Internet, released a framework (the “Framework”) for best practices in privacy and data security for the Internet of Things. The Framework was developed by the Internet of Things Trustworthy Working Group, which the Online Trust Alliance created in January 2015 to address “the mounting concerns and collective impact of connected devices.”
On May 25, 2015, the Privacy and Big Data Institute at Ryerson University in Canada announced that it is offering a Privacy by Design Certification. Privacy by Design is a “framework that seeks to proactively embed privacy into the design specifications of information technologies” to obtain the most secure data protection possible. Organizations that attain the certification will be permitted to post a “Certification Shield” “to demonstrate to consumers that they have withstood the scrutiny of a rigorous third party assessment, assuring the public that their product or service reflects the viewpoint of today’s privacy conscious consumer.”
On August 3, 2015, Neiman Marcus requested en banc review of the Seventh Circuit’s recent decision in Remijas v. Neiman Marcus Group, LLC, No. 14-3122. As we previously reported, the Seventh Circuit found that members of a putative class alleged sufficient facts to establish standing to sue Neiman Marcus following a 2013 data breach. During that breach, hackers gained access to customers’ credit and debit card information.
On July 20, 2015, the United States Court of Appeals for the Seventh Circuit reversed a previous decision that dismissed a putative data breach class action against Neiman Marcus for lack of Article III standing. Remijas et al. v. Neiman Marcus Group, LLC, No. 14-3122.
On July 10, 2015, the Federal Communications Commission (“FCC”) released a Declaratory Ruling and Order that provides guidance with respect to several sections of the Telephone Consumer Protection Act (“TCPA”). The Declaratory Ruling and Order responds to 21 separate requests from industry, government and others seeking clarifications regarding the TCPA and related FCC rules.
On July 14, 2015, pursuant to an implementation requirement of Government Regulation 82 of 2012, the Indonesian government published the Draft Regulation of the Minister of Communication and Information (RPM) of the Protection of Personal Data in Electronic Systems (“Proposed Regulation”). The Proposed Regulation addresses the protection of personal data collected by a variety of government agencies, enumerates the rights of those whose personal data is collected and the obligations of users of Information Communication Technology. Agencies to which the Proposed Regulation would apply include: the Directorate General of Immigration, which manages passport data; the Financial Services Authority, which regulates financial sector data; the Bank Indonesia, which regulates banking data; the Indonesian Consumers Foundation, which regulates protection of consumer data; the National Archives; and the Ministry of Health, which regulates health data and archives. The government provided a 10-day comment period for the proposal.
On June 30, 2015, the Federal Trade Commission announced its new “Start With Security” business education initiative, which will provide businesses with information on data security and how to protect consumer information.
The U.S. District Court for the Central District of California recently granted, only in part, a motion to dismiss a data breach class action against Sony Pictures Entertainment, Inc. (“Sony”) in Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600 (RGK) (C.D. Cal. June 15, 2015). The case therefore will proceed with some of the claims intact.
Legislators in New Hampshire and Oregon recently passed bills designed to protect the online privacy of students in kindergarten through 12th grade.
On June 11, 2015, New Hampshire Governor Maggie Hassan (D-NH) signed H.B. 520, a bipartisan bill that requires operators of websites, online platforms and applications targeting students and their families (“Operators”) to create and maintain “reasonable” security procedures to protect certain covered information about students. H.B. 520 also prohibits Operators from using covered information for targeted advertising. H.B. 520 defines covered information broadly as “personally identifiable information or materials,” including name, address, date of birth, telephone number and educational records, provided to Operators by students, their schools, their parents or legal guardians, or otherwise gathered by the Operators.
On June 16, 2015, the Consumer Federation of America announced in a joint statement with other privacy advocacy groups that they would no longer participate in the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) multistakeholder process to develop a code of conduct regarding the commercial use of facial recognition technology. The letter was signed by the Center for Democracy & Technology, the Center for Digital Democracy, the Consumer Federation of America, Common Sense Media, the Electronic Frontier Foundation, the American Civil Liberties Union, Consumer Action, Consumer Watchdog and the Center on Privacy & Technology at Georgetown University Law Center. This decision comes after 16 months of meetings and negotiations. In its announcement, the group highlighted its inability to come to an agreement with industry groups on how the issue of consumer consent would be addressed in a code of conduct regarding the use of facial recognition technology. Specifically, the disagreement between consumer and industry groups revolved around the default rule for consumer consent (i.e., whether the default should be opt-in or opt-out consent).
On May 19, 2015, China’s Ministry of Industry and Information Technology promulgated its Provisions on the Administration of Short Messaging Services (the “Provisions”), which will take effect on June 30, 2015.
On May 25, 2015, the French Data Protection Authority (“CNIL”) released its long-awaited annual inspection program for 2015. Under French data protection law, the CNIL may conduct four types of inspections: (1) on-site inspections (i.e., the CNIL may visit a company’s facilities and access anything that stores personal data); (2) document reviews (i.e., the CNIL may require an entity to send documents or files upon written request); (3) hearings (i.e., the CNIL may summon representatives of organizations to appear for questioning and provide other necessary information); and (4) since March 2014, online inspections.
After a number of high-profile data breaches, corporate cybersecurity is facing increased scrutiny and attention from consumers, the government and the public. In a webinar, entitled Cyber Insurance: Addressing Your Risks and Liabilities, hosted by Hunton & Williams LLP and CT, Hunton & Williams partners Lon A. Berk and Lisa J. Sotto provide a background into the current cyber threats and educate companies and their counsel on how to take full advantage of their existing insurance programs and specialized cyber insurance products to effectively and proactively address cyber ...
On May 20, 2015, the Federal Communications Commission (“FCC”) released an Enforcement Advisory announcing that its previously-released Open Internet Order “applies the core customer privacy protections of Section 222 of the Communications Act to providers of broadband Internet access service” and that the statutory provisions of Section 222, which historically have been used to protect Consumer Proprietary Network Information on telephone networks, will apply to broadband providers when the Open Internet Order goes into effect on June 12, 2015. This approach will expand broadband providers’ requirements to protect consumer privacy and limit their use of consumer data.
On May 7, 2015, the Digital Advertising Alliance (“DAA”) announced that, as of September 1, 2015, the Council of Better Business Bureaus and the Direct Marketing Association will begin to enforce the DAA Self-Regulatory Principles for Online Behavioral Advertising and the Multi-Site Data Principles (collectively, the “Self-Regulatory Principles”) in the mobile environment.
On May 7, 2015, the U.S. Court of Appeals for the Second Circuit sided with the American Civil Liberties Union, holding that the National Security Agency’s (“NSA’s”) collection of metadata relating to domestic phone records is not permitted under the PATRIOT Act. This ruling overturns a December 2013 Southern District of New York decision finding that the NSA’s telephone data collection program is lawful under Section 215 of the PATRIOT Act. The Second Circuit did not issue a preliminary injunction to stop the program or address questions as to whether the program is ...
On April 8, 2015, a New York Assemblyman introduced the Data Security Act in the New York State Assembly that would require New York businesses to implement and maintain information security safeguards. The requirements would apply to “private information,” which is defined as either:
- personal information consisting of any information in combination with one or more of the following data elements, when either the personal information or the data element is not encrypted: Social Security number; driver’s license number or non-driver identification card number; financial account or credit or debit card number in combination with any required security code or password; or biometric information;
- a user name or email address in combination with a password or security question and answer that would permit access to an online account; or
- unsecured protected health information (as that term is defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule).
On April 23, 2015, the Federal Trade Commission (“FTC”) announced that Nomi Technologies (“Nomi”) has agreed to settle charges stemming from allegations that the company misled consumers with respect to their ability to opt out of the company’s mobile device tracking service at retail locations. The settlement marks the FTC’s first Section 5 enforcement action against a company that provides tracking services at retailers.
On April 15, 2015, the Federal Communications Commission (“FCC”) announced that it has joined the Asia Pacific Privacy Authorities (“APPA”), the principal forum for privacy authorities in the Asia-Pacific Region. APPA members meet twice a year to discuss recent developments, issues of common interest and cooperation. The FCC now joins the Federal Trade Commission as the U.S. representatives to APPA.
On April 13, 2015, the Senate of Washington State unanimously passed legislation strengthening the state’s data breach law. The bill (HB 1078) passed the Senate by a 47-0 vote, and as we previously reported, passed the House by a 97-0 vote.
On April 13, 2015, the Federal Trade Commission announced that it has settled charges with two debt brokers who posted consumers’ unencrypted personal information on a public website. The settlements with Cornerstone and Company, LLC (“Cornerstone”), Bayview Solutions, LLC (“Bayview”), and the companies’ individual owners resulted from initial complaints about the debt brokers in 2014. Cornerstone and Bayview allegedly had posted the personal information of their debtors in unencrypted Excel spreadsheets on a publicly accessible website geared to buyers and sellers of consumer debt. The information included consumers’ names, addresses, credit card numbers, bank account numbers and debt amounts.
On April 8, 2015, the Federal Communications Commission announced a $25 million settlement with AT&T Services, Inc. (“AT&T”) stemming from allegations that AT&T failed to protect the confidentiality of consumers’ personal information, resulting in data breaches at AT&T call centers in Mexico, Colombia and the Philippines. The breaches, which took place over 168 days from November 2013 to April 2014, involved unauthorized access to customers’ names, full or partial Social Security numbers and certain protected account-related data, affecting almost 280,000 U.S. customers.
On March 23, 2015, the Federal Trade Commission announced the formation of the Office of Technology Research and Investigation (“OTRI”), which the FTC describes as “an office designed to expand the FTC’s capacity to protect consumers in an age of rapid technological innovation.”
On November 16, 2015, the Federal Trade Commission will host a workshop in Washington, D.C., to examine the benefits and privacy risks associated with “cross-device tracking.” The workshop intends to highlight the types of cross-device tracking techniques and how businesses and consumers can benefit from these practices. The workshop also will address related privacy and security risks, and discuss whether self-regulatory programs apply to these practices.
On March 4, 2015, the House of Representatives of Washington passed a bill (HB 1078), which would amend the state’s breach notification law to require notification to the state Attorney General in the event of a breach and impose a 45-day timing requirement for notification provided to affected residents and the state regulator. The bill also mandates content requirements for notices to affected residents, including (1) the name and contact information of the reporting business; (2) a list of the types of personal information subject to the breach; and (3) the toll-free telephone numbers and address of the consumer reporting agencies. In addition, while Washington’s breach notification law currently applies only to “computerized” data, the amended law would cover hard-copy data as well.
On March 9, 2015, the Federal Trade Commission announced that it has entered into a Memorandum of Understanding (the “Memorandum”) with the Dutch Data Protection Authority (the “Dutch DPA”).
On February 26, 2015, the Department of Education’s Privacy Technical Assistance Center (“PTAC”) issued guidance to assist schools, school districts and vendors with understanding the primary laws regulating student privacy and how compliance with those laws may be affected by Terms of Service (“TOS”) offered by providers of online educational services and mobile applications. The guidance also is intended to aid school districts and schools in implementing separate guidance issued by the PTAC in February 2014. The guidance was accompanied by a short training video directed to teachers, administrators and other relevant staff.
On March 3, 2015, the Third Circuit heard oral arguments in FTC v. Wyndham Worldwide Corp. (“Wyndham”) on whether the FTC has the authority to regulate private companies’ data security under Section 5 of the FTC Act.
On March 3, 2015, Steven Barnes, the host of the new Penn Law podcast series, Case in Point: Great Minds on Law and Life, interviewed Lisa Sotto, partner and chair of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, and Anita Allen, professor of law and philosophy at the University of Pennsylvania Law School and vice provost for faculty on trends in privacy and cybersecurity, discussing what we mean when we talk about our right to privacy.
On March 2, 2015, HuffPost Live interviewed four cybersecurity experts in response to a top financial regulator’s warning of an “Armageddon-type cyber event” that could eventually affect the U.S. economy. Lisa Sotto, partner and chair of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was featured, describing the threat as legitimate and stressing that hackers are becoming more creative, sophisticated and motivated. She also emphasized that cybersecurity is a high-level governance issue for companies, not an IT matter.
On February 27, 2015, the White House released a highly-anticipated draft of the Consumer Privacy Bill of Rights Act of 2015 (the “Act”) that seeks to establish baseline protections for individual privacy in the commercial context and to facilitate the implementation of these protections through enforceable codes of conduct. The Federal Trade Commission is tasked with the primary responsibility for promulgating regulations and enforcing the rights and obligations set forth in the Act.
On February 23, 2015, the Wyoming Senate approved a bill (S.F.36) that adds several data elements to the definition of “personal identifying information” in the state’s data breach notification statute. The amended definition will expand Wyoming’s breach notification law to cover certain online account access credentials, unique biometric data, health insurance information, medical information, birth and marriage certificates, certain shared secrets or security tokens used for authentication purposes, and individual taxpayer identification numbers. The Wyoming Senate also agreed with amendments proposed by the Wyoming House of Representatives to another bill (S.F.35) that adds content requirements to the notice that breached entities must send to affected Wyoming residents. Both bills are now headed to the Wyoming Governor Matt Mead for signing.
On February 5, 2015, the Federal Trade Commission sent a letter to the Consumer Financial Protection Bureau (“CFPB”) summarizing the agency’s efforts in the debt collection arena in 2014. The letter is intended to assist the CFPB with preparing its annual report to Congress on the enforcement of the Fair Debt Collection Practices Act, which must be submitted pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act. The FTC’s debt collection program involves three initiatives: (1) law enforcement, (2) education and public outreach, and (3) research and policy.
On February 4, 2015, the German government adopted a draft law to improve the enforcement of data protection provisions that are focused on consumer protection. As reported earlier, the new law would bring about a fundamental change in how German data protection law is enforced.
On January 27, 2015, the Federal Trade Commission announced the release of a report on the Internet of Things: Privacy and Security in a Connected World (the “Report”). The Report describes the current state of the Internet of Things, analyzes the benefits and risks of its development, applies privacy principles to the Internet of Things and discusses whether legislation is needed to address this burgeoning area. The Report follows a workshop by the FTC on this topic in November 2013.
On January 21, 2015, the Federal Trade Commission announced that the U.S. District Court for the Central District of Illinois granted partial summary judgment on December 12, 2014, to the federal government in its action against Dish Network LLC (“Dish”), alleging that Dish violated certain aspects of the Telemarketing Sales Rule (“TSR”) that restrict placing calls to numbers on the National Do-Not-Call Registry and an entity’s internal Do-Not-Call list. The federal government is joined in the action against Dish by four state attorneys general alleging violations of the Telephone Consumer Protection Act and certain state laws related to telemarketing.
Indiana Attorney General Greg Zoeller has prepared a new bill that, although styled a “security breach” bill, would impose substantial new privacy obligations on companies holding the personal data of Indiana residents. Introduced by Indiana Senator James Merritt (R-Indianapolis) on January 12, 2015, SB413 would make a number of changes to existing Indiana law. For example, it would amend the existing Indiana breach notification law to apply to all data users, rather than owners of data bases. The bill also would expand Indiana’s breach notification law to eliminate the requirement that the breached data be computerized for notices to be required.
On January 5, 2015, the State Administration for Industry and Commerce of the People’s Republic of China published its Measures for the Punishment of Conduct Infringing the Rights and Interests of Consumers (the “Measures”). The Measures contain a number of provisions defining circumstances or actions under which enterprise operators may be deemed to have infringed the rights or interests of consumers. These provisions are consistent with the basic rules in the currently effective P.R.C. Law on the Protection of Consumer Rights and Interests (“Consumer Protection Law”). The Measures will take effect on March 15, 2015.
On January 13, 2015, President Obama announced legislative proposals and administration efforts with respect to cybersecurity, including a specific proposal for a national data breach notification standard. Aside from the national data breach notification standard, the President’s other proposals are designed to (1) encourage the private sector to increase the sharing of information related to cyber threats with the federal government and (2) modernize law enforcement to effectively prosecute illegal conduct related to cybersecurity.
On January 6, 2015, Federal Trade Commission Chairwoman Edith Ramirez gave the opening remarks on “Privacy and the IoT: Navigating Policy Issues” at the 2015 International Consumer Electronics Show (“International CES”) in Las Vegas, Nevada. She addressed the key challenges the Internet of Things (“IoT”) poses to consumer privacy and how companies can find appropriate solutions that build consumer trust.
On January 12, 2015, President Obama announced at the Federal Trade Commission several new initiatives on data security and consumer privacy as part of a weeklong focus on privacy and cybersecurity. He noted that on January 13 at the Department of Homeland Security, he would address how to improve protections against cyber attacks, and on January 14, he would address how more Americans can have access to faster and cheaper broadband Internet. He stated that the announcements he is making this week are “sneak previews” of the proposals he will make in next week’s State of the Union address.
In December 2014, we reported that various technology companies, academics and trade associations filed amicus briefs in support of Microsoft’s attempts to resist a U.S. government search warrant seeking to compel it to disclose the contents of customer emails that are stored on servers in Ireland. On December 23, 2014, the Irish government also filed an amicus brief in the 2nd Circuit Court of Appeals.
On December 18, 2014, the Financial Crimes Enforcement Network (“FinCEN”) issued a $1 million civil penalty against Thomas E. Haider, the former Chief Compliance Officer of MoneyGram International, Inc. (“MoneyGram”). In a press release announcing the assessment, FinCEN alleged that during Haider’s oversight of compliance for MoneyGram, he failed to adequately respond to thousands of customer complaints regarding schemes that utilized MoneyGram to defraud consumers. In coordination with FinCEN, the U.S. Attorney’s office in the Southern District of New York filed a civil complaint on the same day, seeking a $1 million civil judgment against Haider to collect on the assessment and requesting injunctive relief barring him from participating in the affairs of any financial institution located or conducting business in the United States.
On December 19, 2014, the Federal Trade Commission announced a settlement of at least $90 million with mobile phone carrier T-Mobile USA, Inc. (“T-Mobile”) stemming from allegations related to mobile cramming. This settlement amount will primarily be used to provide refunds to affected customers who were charged by T-Mobile for unauthorized third party charges. As part of the settlement, T-Mobile also will pay $18 million in fines and penalties to the attorneys general of all 50 states and the District of Columbia, and $4.5 million to the Federal Communications Commission.
On December 15, 2014, Microsoft reported the filing of 10 amicus briefs in the 2nd Circuit Court of Appeals signed by 28 leading technology and media companies, 35 leading computer scientists, and 23 trade associations and advocacy organizations, in support of Microsoft’s litigation to resist a U.S. Government’s search warrant purporting to compel the production of Microsoft customer emails that are stored in Ireland. In opposing the Government’s assertion of extraterritorial jurisdiction in this case, Microsoft and its supporters have argued that their stance seeks to promote privacy and trust in cross-border commerce and advance a “broad policy issue” that is “fundamental to the future of global technology.”
On December 9, 2014, a coalition of 23 global privacy authorities sent a letter to the operators of mobile application (“app”) marketplaces urging them to require privacy policies for all apps that collect personal information. Although the letter was addressed to seven specific app marketplaces, the letter notes that it is intended to apply to all companies that operate app marketplaces.
The Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) has published a second white paper in its multi-year Privacy Risk Framework Project entitled The Role of Risk in Data Protection. This paper follows the earlier white paper from June 2014 entitled A Risk-based Approach to Privacy: Improving Effectiveness in Practice.
On November 21, 2014, Massachusetts Attorney General Martha Coakley announced that Boston hospital Beth Israel Deaconess Medical Center (“BIDMC”) has agreed to pay a total of $100,000 to settle charges related to a data breach that affected the personal and protected health information of nearly 4,000 patients and employees.
On November 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including a report on the International Conference of Data Protection and Privacy Commissioners, highlights on the Council of the European Union’s proposed revisions to the compliance obligations of data controllers and data processors included in Chapter IV of the forthcoming EU General Data Protection Regulation, and U.S. highlights on California’s breach report and Federal Communications Commission enforcement actions.
On November 12, 2014, the Federal Trade Commission announced that in response to FTC complaints, a federal court has ordered two debt brokerage companies to notify over 70,000 consumers whose sensitive personal information was posted on a public website by the debt brokerage companies.
On November 17, 2014, the Federal Trade Commission announced that data privacy certifier True Ultimate Standards Everywhere, Inc. (“TRUSTe”) has agreed to settle charges that the company deceived consumers about its recertification program and misrepresented that it was a non-profit entity in violation of Section 5 of the FTC Act.
On October 8, 2014, the United States District Court for the Northern District of Georgia granted Cartoon Network, Inc.’s (“Cartoon Network’s”) motion to dismiss a putative class action alleging that Cartoon Network’s mobile app impermissibly disclosed users’ personally identifiable information (“PII”) to a third party data analytics company under the Video Privacy Protection Act (“VPPA”).
On October 24, 2014, the Federal Communications Commission announced that it intends to impose a $10 million fine on TerraCom, Inc. (“TerraCom”) and YourTel America, Inc. (“YourTel”) for violating privacy laws relating to their customers’ personal information. This announcement marks the FCC’s first enforcement action in the data security arena as well as its largest privacy action to date.
On October 28, 2014, California Attorney General Kamala D. Harris announced the release of the second annual California Data Breach Report. The report provides information on data breaches reported to California’s Attorney General in 2012 and 2013. Overall, 167 breaches were reported by 136 different entities to California’s Attorney General in 2013. According to the report, 18.5 million records of California residents were compromised by these reported breaches, up more than 600 percent from the 2.6 million records compromised in 2012. In addition, the number of reported data breaches increased by 28 percent in 2013, rising from 131 in 2012 to 167 in 2013.
On October 22, 2014, the Federal Trade Commission announced that several interrelated online marketing and advertising companies (“Stipulating Defendants”) agreed to pay nearly $10 million to settle allegations that they engaged in a pattern of text message spamming, robocalling and mobile cramming practices in violation of Section 5 of the FTC Act, the Telemarketing and Consumer Fraud and Abuse Prevention Act, and the Telemarketing Sales Rule.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code