Subscribe

* indicates required

Explore MVALAW.COM

Posts tagged Social Media.
The Supreme Court’s Facebook Ruling Narrows TCPA Claims—But Does Not Eliminate Them

Last month, the Supreme Court resolved a long-standing circuit split over the definition of an “automatic telephone dialing system” (ATDS) under the Telephone Consumer Protection Act (TCPA). The highly-anticipated decision in Facebook v. Duguid narrowed the type of equipment that constitutes an ATDS, and therefore drastically limited the scope of “automated” calls and texts that violate the TCPA.  

USDOL Offers Guidance on Data Security for Plan Fiduciaries and Service Providers

The Employee Benefits Security Administration of the United States Department of Labor (“EBSA”)  recently published guidance regarding cybersecurity best practices for recordkeepers and service providers responsible for plan related information technology systems and data for ERISA-covered plans, including 401k and other pension plans.

The EBSA counseled that a plan’s service providers should implement the following practices:

  1. Have a formal, well documented cybersecurity program.
  2. Conduct prudent annual risk assessments.
  3. Have a reliable annual third-party ...

Virginia’s Consumer Data Protection Act makes it the second state to pass a comprehensive data privacy law.

Another Major Setback for EU-U.S. Data Transfer in “Schrems II”

On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its judgment in the “Schrems II” case, cautiously upholding Standard Contractual Clauses (SCCs) and invalidating the popular EU-U.S. Privacy Shield.  The judgment is the second major triumph affecting transatlantic commerce for Austrian privacy activist, Max Schrems. 

Under the EU’s General Data Protection Regulation (“GDPR”), an organization may only transfer individuals’ personal data to non-EU countries for processing if the European Commission determines the third country ...

Beware Compromised Business Email . . .and the Litigation That Follows

Businesses are facing this system hack with ever-increasing frequency:  An accounts payable employee receives new or updated payment instructions from a vendor via email.  The email appears to be from a familiar counterpart at the vendor; it contains accurate details specific to a current transaction; the new bank is well known; and the new instructions have the vendor’s name, or a version of it, as the beneficiary.

Update: The Washington Privacy Act

For more background on the Washington Privacy Act, see: Washington State Legislature Takes Another Shot At a Consumer Data Privacy Law (DataPoints, 1/22/2020)


Senate Bill 6281, the Washington Privacy Act, passed out of the Senate on February 14 and moved to the House of Representatives where it is expected to run up against some skepticism and questions. 

The bill was drafted to help bring Washington state more in line with California’s and the EU’s data privacy regulation efforts, in the absence of comprehensive privacy regulation at the federal level.  The Act places ...

Washington State Legislature Takes Another Shot At a Consumer Data Privacy Law

Following an unsuccessful attempt last year at passing a comprehensive data privacy bill, the Washington State Legislature is hoping the second time’s the charm. Senate Bill 6281, this session’s updated version of The Washington Privacy Act, is based on the best practices taken from the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) which went into effect on January 1 of this year. Although last year’s effort fizzled in Washington’s House of Representatives after passing the Senate 46-1, SB 6281 has been ...

Schrems II Opinion Casts Doubt on EU-US Data Protection Rules

Facebook is at the center of the “Schrems” case, which exposed contradictions between U.S. and EU data privacy rules and toppled the U.S./EU Safe Harbor (Schrems I). In Schrems II, Austrian Max Schrems challenges the adequacy of standard contractual clauses and the Privacy Shield (the replacement to the Safe Harbor).  A recent opinion in Schrems II questions the adequacy of privacy protections guaranteed by the U.S. but for now preserves the Privacy Shield and standard contractual clauses as potential adequate means of transferring personal data from the EU to the U.S.

The ...

The Wait is Over: Proposed Regulations Implementing the CCPA are Released

By Suzanne Gainey and Tandy Mathis.  On October 10, California Attorney General Xavier Becerra announced that the long-awaited proposed regulations implementing the California Consumer Privacy Act (“CCPA”) are available for public comment.  Although the regulations are not yet final, they do provide some visibility into what the Attorney General will expect from businesses that are subject to the CCPA.  While the proposed regulations add some clarity to the (sometimes unclear) language of the CCPA, the regulations also raise new questions about the application of the CCPA ...

California Consumer Privacy Act Update: AB25 and AB1355 Approved by California Governor

Earlier we posted an article regarding the amendments to the California Consumer Privacy Act by AB 25 and AB1355 creating a moratorium on the application of much of the CCPA to employee personal information—subject to approval by California’s governor. Pleased to report that Governor Newsom approved both AB25 and AB1355 and therefore the moratorium will be in effect until January 1, 2021. Some welcome relief to businesses trying to comply with the CCPA’s requirements.

California Consumer Privacy Act Update: California Legislature Provides Relief for Businesses Processing Employee Data

The California Consumer Privacy Act (CCPA) imposes significant protections for California residents covered by the law, and significant burdens for companies required to comply with it.    One area of concern is whether the CCPA applied to employee data collected by a business.  The language of the CCPA was unclear, but was open to the interpretation that its protections covered such data.  With an effective date of January 1, 2020, employers have been watching to see if the California legislature would clear up the uncertainty.  The good news is that for at least until January 1, 2021, most ...

NY Governor Signs Data Breach Security Law

As anticipated, today New York’s governor signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) discussed in our recap of US data breach laws enacted in the first half of 2019. The bill passed the state senate by a margin of 41 – 21. The law updates the body of law governing data breaches in New York by increasing the scope of information subject to current data breach notification laws and expanding notification requirements.

US Data Breach and Privacy 2019 Legislative Recap

A few weeks ago, Texas signed into law an amendment to its data breach law, capping off a busy first half of 2019 for state lawmakers in this arena.  As we gear up for the second half of 2019, we thought a recap was worthwhile.  The legislation reflects a number of trends, including increasing obligations on consumer reporting agencies (CRAs) to protect consumers (no doubt in part a reaction to the Equifax breach), and updating data breach notice and reporting to provide more transparency and more information to consumers to protect their data, and to update older laws to address ...

North Carolina Amendments to Data Breach Law Finally Introduced

On April 16, 2019, Representatives Saine, Jones and Reives introduced House Bill 904, the long anticipated amendments to the North Carolina Identity Theft Protection Act, N.C. Gen. Stat. § 75-61 et seq.. We first wrote about the proposed legislation in February 2018 [Two Proposed Data Security Laws Reflect National Trend Toward Affirmative Responsibilities]. The bill also amends the definition of identifying information in North Carolina’s criminal identity theft statute, N.C. Gen. Stat. § 14-113.20(b), adopted by reference in the Identity Theft Protection Act’s ...

Washington State Legislature Moves Toward Passage of Broad Consumer Data Privacy Law

Following in the footsteps of California, and the European Union’s General Data Protection Regulation, the State of Washington is taking steps to adopt a comprehensive privacy law focused on protecting consumer information. SB 5376, better known as the Washington Privacy Act, passed in the Washington State Senate on March 6, 2019 by a vote of 46 to 1 and had a public hearing in the Washington State House Committee on Innovation, Technology & Economic Development on March 22, 2019.

The bill has also received support from Microsoft General Counsel and former U.S. FTC Commissioner ...

Illinois Supreme Court Rules on Biometric Privacy Case

Today, the Illinois Supreme Court unanimously held that actual harm was not a necessary component of proving a breach of the state’s Biometric Information Privacy Act.  This ruling found that Stacy Rosenbach, the mother of a minor whose thumbprint was collected by Six Flags as part of a season pass holder purchase, can be considered an “aggrieved person” under the state’s biometric privacy law without alleging that her child’s data was stolen or misused.

This decision is significant because Illinois has the nation’s only biometric privacy law with a private right of ...

SEC Issues Disclosure Guidance as Part of Continued Focus on Cybersecurity

As cybersecurity attacks have continued to gain prominence as a threat posing critical risk management and compliance challenges for financial institutions, the Securities and Exchange Commission (SEC) has emerged as an active federal regulator in this arena. In September 2017, the SEC announced creation of a Cyber Unit housed within the SEC’s Enforcement Division that targets cyber-related misconduct, including hacking to obtain material nonpublic information, intrusions into retail brokerage accounts, and cyber-related threats to trading platforms and other ...

NYS DFS September 4, 2018 Cybersecurity Compliance Deadline

Tuesday, September 4, 2018 marked the New York State Department for Financial Service’s deadline for compliance with several sections of cybersecurity regulation 23 NYCRR 500 (the “Regulation”).  The Regulation covers any organization that operates (or is required to operate) under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law (Title 3 of the NYCRR), the Insurance Law (Title 11 of the NYCRR), or the Financial Services Law (Title 23 or the NYCRR) (a “Covered Entity”).  This is the third compliance ...

Update on California Consumer Privacy Act

By Bret Buckler and Todd Taylor
Recently the state of California passed a data privacy and security law called the California Consumer Privacy Act (“CCPA”) (Assembly Bill 375, found here).

The law, which takes effect on January 1, 2020, is aimed at establishing a defined set of rights for consumers with regard to how their personal information is being collected and used.  The political push for the law comes on the heels of a contentious few months where tech giants such as Facebook have admitted to potentially problematic data breaches and oversharing of personal information ...

What’s next for Facebook?

Now that the cameras have gone, the booster cushion has been removed from the witness chair, and Mark Zuckerberg is comfortably back in in Palo Alto, having survived his marathon two-days of testimony in front of a somewhat confused Congress, what’s next? 

Regulations  

Following the revelations that a political marketing firm, Cambridge Analytica, improperly obtained personal information from approximately 87 million Facebook user profiles (including even Mark Zuckerberg’s!), Congress has more support than ever to regulate Facebook and other social media tech.  On his ...

The CLOUD Act – Congress Passes New Bill Which Will Impact Access To Cross-Border Data

By Tandy Mathis

On Friday, March 23, 2018, Congress passed a 2,232 page omnibus spending bill. Included in the bill was a bipartisan act known as the “Clarifying Lawful Overseas Use of Data Act” or CLOUD Act, which will allow United States law enforcement to access the data stored abroad for U.S. citizens and will provide some relief to foreign law enforcement agencies to access the data of their citizens when that data is stored in the U.S..

The CLOUD Act Overhauls an Outdated Stored Communications Act (SCA) and an Overburdened Mutual Legal Assistance Treaty (MLAT) Act

At its core ...

North Carolina Security Breach Report 2017

By Nathan White

According to the recently released North Carolina Attorney General Security Breach Report, nearly 5,337,154 North Carolinians were impacted by security breaches in 2017.  The Report highlights several trends data protection specialists and North Carolina businesses should take into consideration.

The report breaks down 1,022 data breaches occurring in North Carolina during calendar year 2017.  For the first time since reporting was required in 2005, hacking constituted a slight majority of the reported breaches at 50.49%.  This reflects a continuing trend of ...

Two Proposed Data Security Laws Reflect National Trend Toward Affirmative Responsibilities

With major consumer data breaches making headlines on a semi-regular basis, legislators around the country are starting to hold businesses more accountable for cybersecurity compliance.  Industry-specific laws such as HIPAA and the Gramm-Leach-Bliley Act (GLBA) already establish federal data security standards for some companies, and the Federal Trade Commission has taken the position that failure to have reasonable security measures is a violation of the FTC Act (see our DataPoints post here). 

From Massachusetts to New Mexico, a handful of state legislatures also have ...

Delaware Amends Personal Information Protection Law

On August 17, 2017, Delaware amended its personal information protection law, Delaware Code Title 6, Chapter 12B.  The amendment becomes effective 240 days after enactment or March 14, 2018. The amended law significantly enhances the protections afforded Delaware residents whose personal information has been – or is reasonably believed to have been – breached, by adding obligations on the part of a person or entity who conducts business in Delaware or owns, licenses and maintains “personal information” as the Delaware law defines the term. The major changes to the law are ...

“Not so fast, my friend*” -- Judge Orders DreamHost Comply with DOJ’s Disruptj20 Search Warrant, with Caveats

By Nathan A. White

Can the government force the hosting service of an activist website company to turn over vast amounts of user data in order to track down political protesters?  According to a federal court ruling, the answer  -- Yes, but let’s slow this train down a little bit.  On Thursday, August 24, 2017, District of Columbia Superior Court Chief Judge Robert E. Morin ordered DreamHost to comply with a search warrant issued by the Department of Justice on July 12, 2017 seeking IP addresses and other data of visitors to “disruptj20.org” website hosted by DreamHost.  Disruptj20 ...

D.C. Circuit Finds that Theft of Health Insurance Subscriber ID Numbers Is a Cognizable Injury in Identity Theft Litigation

By Bill Butler

Recently, the D.C. Circuit Court of Appeals ruled in Attias v. CareFirst, Inc., No. 16-7108, that customers had standing to sue a health insurer for a 2014 data breach in which the customers’ information was stolen.  In reversing the district court’s dismissal of the class action, the D.C. Circuit held that the customers’ allegations that the hackers accessed and took their Social Security numbers, credit card numbers, and health insurance subscriber ID numbers were each independently sufficient to show actual or imminent injury.  The customers’ complaint ...

MVA Seminar - Privacy and Data Security in the Trump Era: How to talk to the FBI and your IT Department in a Data Breach

PRIVACY AND DATA SECURITY IN THE TRUMP ERA: HOW TO TALK TO THE FBI AND YOUR IT DEPARTMENT IN A DATA BREACH (MAY 24, 2017): Effectively responding to a data breach requires clear communication with a web of internal and external groups. Two important groups are law enforcement and a company’s internal IT department. With the help of an FBI agent and an IT professional, this seminar will explore how to effectively work with these two groups to address a breach. Wednesday, May 24, 2017 11:30 AM - 1:00 PM. Register here.

 

New Mexico Becomes 48th State to Enact Data Breach Statute

Recently the state of New Mexico enacted the Data Breach Notification Act, making it the 48th state in the United States to enact a statute requiring notice to individuals impacted by a data breach. In doing so, New Mexico follows some trends we've been predicting at the state level.  These trends include covering encrypted data in the definition of personal information if the encryption key is accessed as well, and – importantly – requiring that companies engage in reasonable security measures to protect personal information in their possession. New Mexico also joins a handful of ...

The FTC’s Public Comment on the NTIA’s Draft Coordinated Vulnerability Disclosure Template Reflects Further Support for the NIST’s Cybersecurity Framework

By Bill Butler

In August 2016, the Federal Trade Commission (“FTC”) addressed the effect of the Cybersecurity Framework (“NIST Framework”) issued by the National Institute of Standards and Technology on FTC enforcement actions under Section 5 of the FTC Act.  While there have been few enforcement actions to gauge the actual impact of the NIST Framework, the FTC’s recent public comment on the National Telecommunications and Information Administration’s (“NTIA”) proposed “coordinated vulnerability disclosure” template (“Template”) further ...

Beck v. McDonald – 4th Circuit Weighs In on Standing in Data Breach Case

We don’t see a lot of data breach litigation here in the Fourth Circuit, so it is notable that the Fourth Circuit Court of Appeals issued an opinion recently that weighs in on the standing debate (For more on the debate: Constitutional Standing Provides Fertile Battleground In Data Breach Litigation). In Beck v. McDonald, the plaintiffs in two consolidated cases sought to establish Article III standing based on the harm from embarrassment, mental distress, inconvenience, the increased risk of future identity theft and the cost of measures to protect against it after (i) a ...

Your Uber Driver Might Not Be the Only One Who Knows Where You Were Picked Up and Dropped Off….
By Tandy Mathis, Elena Mitchell, and Mindy Vervais

 

Did you know that if you’ve taken a New York City taxi since 2009, your pick-up and drop-off locations were recorded and published (through June of 2016) on the internet for anyone to find? Now, New York City officials want ride-sharing companies like Uber and Lyft to start providing drop-off and pick-up location data, too.

The New York City Taxi and Limousine Commission, or TLC, currently collects all kinds of trip data from New York City taxis—including pick-up and drop-off dates and times, coordinates of the start and end ...

Happy Data Privacy Day!  A Few Tips from the MVA Privacy and Data Security Group

Saturday January 28, 2017 is Data Privacy Day.  The Moore & Van Allen Privacy and Data Security group took a break from the pre-holiday revelries to put together some thoughts and tips for DataPoints.  So hoist a glass and enjoy this read, and try not to ponder too long the irony that Data Privacy Day falls on the same day as China’s New Year’s celebration.  Cheers!

  • Update vendor contracts. Make sure that contracts include required data security and privacy requirements. Some older laws and regulations already impose specific data security and privacy standards for certain industries ...
Live Streaming: The Privacy Concerns of Behind-the-Scenes Access

By Leslie Pedernales

A professional football team clinches their playoff spot in an upset game, then hits the locker room for a celebration and an inspirational pep talk from their winning coach.  The perfect application for livestreaming, one might think.  Opening a window into this mysterious world for all the rest of us to see and experience.  Not so fast.

After the Pittsburgh Steelers upset the Kansas City Chiefs in the AFC playoff game on January 15, Steelers wide receiver Antonio Brown invited the world into the Steelers’ locker room to join in the celebration through Facebook ...

Constitutional Standing Provides Fertile Battleground In Data Breach Litigation

A common and understandable concern of companies that suffer a data breach is whether the victims can sue the company.  It is tempting to assume that the victims won’t sue if they do not suffer identity theft or monetary loss through misuse of the data.  Not all victims, or courts, agree.  As a result, standing, a constitutional prerequisite to bringing a lawsuit in federal court that is most often conceded rather than litigated, has become a focal point in data breach litigation where “risk of future harm,” rather than actual misuse of data, forms the basis of the victims’ claims.

To ...

The FTC Faces an Embarrassing Set-Back in its Data Security Enforcement Authority as the LabMD Saga Continues

On November 10th, the Eleventh Circuit Court of Appeals handed an embarrassing defeat to the Federal Trade Commission and an early Christmas present to LabMD, Inc. in the ongoing David and Goliath battle between the government agency and the new-defunct clinical lab.

What Happened?

It’s not easy to explain in a blog entry the complex backstory leading up to LabMD’s recent win, but here goes:

Over a thirteen year period (until it ceased business in 2014), LabMD operated a clinical laboratory that performed tests on patient specimen samples.  As part of its operations, LabMD had ...

Political Speech in the Workplace

By Leslie Pedernales

The upcoming presidential election between two larger-than-life characters, each capable of stirring intense emotional reactions from both sides, is sure to produce some spirited debate around the water cooler this fall.  Many employees mistakenly assume that their expression of political speech (including nonverbal expression such as buttons or signs) is protected by the First Amendment of the U.S. Constitution.  However, it might surprise you to learn that employers generally have the right to regulate employee political speech – the level of that ...

MVA Seminar - Contracting for the Cloud
CONTRACTING FOR THE CLOUD (OCTOBER 27, 2016): Privacy and data security issues impact every industry and affect almost all aspects of a company’s operations. Sales, human resources, data maintenance and storage, IT, legal and compliance, even litigation, all require careful attention to protecting the privacy of personal information as well as preserving the integrity of company, customer or third party data. Moore & Van Allen developed the Privacy & Data Security Seminar Series 2016 to help our clients and friends of the firm navigate the legal and the practical challenges ...
The Early Days of the EU-U.S. Privacy Shield: Should Your Organization Self-Certify?

On August 1, 2016, the U.S. Department of Commerce began accepting self-certification applications for the new EU-U.S. Privacy Shield Framework.  In the month that has followed over 100 companies (including Microsoft, Oracle and Salesforce, among others) have self-certified that they are in compliance with the EU-U.S. Privacy Shield.

Now that that Privacy Shield is in effect and gaining acceptance, it is a good time for companies to examine whether the Privacy Shield makes sense for them.  To answer that question, it is important to understand some basic facts about the Privacy ...

FTC Data Security Standards: Final Order in the ASUSTeK Case; No Mercy for LabMD

The Federal Trade Commission, continuing its quest to be the enforcer of consumer privacy rights, has come down hard this month on ASUSTeK and LabMD for their failure to have adequate data security standards. Because the FTC has taken the position that its complaints and orders set the standard for adequate data security (DataPoints: Reading the Section 5(a) Tea Leaves: What the end of 2015 may suggest about the FTC priorities in 2016), companies subject to FTC jurisdiction should take heed.

LabMD cannot seem to catch a break. Although an ALJ dismissed the FTC’s claim against LabMD ...

European Parliament Passes Landmark Data Protection Regulation

Robert Sumner IV and Brandon Gaskins

On April 14, 2016, the European Parliament passed the General Data Protection Regulation (GDPR) and its companion, Data Protection Directive for Police and Criminal Justice Authorities.  The GDPR is a comprehensive regulation that includes new and enhanced privacy rights for European Union (EU) citizens, such as “the right to be forgotten” and the right to object to data processing, including data profiling.  The GDPR also establishes new and heightened obligations for companies doing business in the EU related to the collection, use, and ...

EU Article 31 Committee Approves EU-US Privacy Shield

EU Member States (the Article 31 Committee)  approved today the EU-US Privacy Shield.  The next step is formal adoption.  The full press release can be found here.

The approval of the Privacy Shield is good news for companies who transfer personal data from the EU to the US. Although legal challenges to the Privacy Shield are likely, the Privacy Shield was designed to address the shortcomings cited by the European Court of Justice in the now invalidated Safe Harbor self-certification scheme and should have a better chance of standing up to those legal challenges.

Related DataPoints Posts:

Another Challenge for Information Governance: The Defense of Trade Secrets Act

Tandy Mathis and Karin McGinnis

Good information governance requires not only protecting the security of sensitive and proprietary information; it often requires pursuing legal action against those who threaten the secrecy and value of a company’s trade secrets.  The Defense of Trade Secrets Act (“DTSA”) both provides another tool for companies to pursue misappropriators of trade secrets and makes it more difficult for companies to quickly seize misappropriated trade secrets through court action.  Given the challenges of the DTSA, companies should bolster their efforts ...

U.S. Government Petitions to Join Data Privacy Litigation Against Facebook in Ireland

On June 13, 2016, the United States government asked the Irish High Court to be joined as amicus curiae (friend of the court) in the case brought by the Austrian privacy activist Max Schrems against Facebook attacking the use of model contract clauses to transfer EU citizens’ data from the EU to the U.S. as violating fundamental privacy rights. This is an unusual request for the U.S. government to seek to intervene in private ligation, particularly in foreign courts. However, the stakes are high should Facebook lose, and the U.S. government’s surveillance practices are at the ...

MVA Seminar - The Nuts and Bolts of Data Security Programs: How to Put One Together for Your Company

THE NUTS AND BOLTS OF DATA SECURITY PROGRAMS: HOW TO PUT ONE TOGETHER FOR YOUR COMPANY (JUNE 2016): Privacy and data security issues impact every industry and affect almost all aspects of a company’s operations. Sales, human resources, data maintenance and storage, IT, legal and compliance, even litigation, all require careful attention to protecting the privacy of personal information as well as preserving the integrity of company, customer or third party data. Moore & Van Allen developed the Privacy & Data Security Seminar Series 2016 to help our clients and friends of the ...

MVA Seminar - Responding to a Data Breach:  What to Expect and What to Avoid
RESPONDING TO A DATA BREACH: WHAT TO EXPECT AND WHAT TO AVOID (APRIL 20, 2016): Verizon, Experian, and T-Mobile are on a growing list of entities impacted by major data breaches in the past year.  But data breaches are not just limited to large national companies or organizations. No one is immune. For most organizations—big or small—the question is not “if” they will be impacted by a data breach, but “when.” This seminar will help attendees gain a better understanding of what to do in the aftermath of a data breach, analyzing such questions as:
  • What should I expect after a ...
Energy Industry Target of Cyber-Attacks and Congressional Efforts to Bolster Security

Cybersecurity of the electric power grid and energy sector as a whole has been the subject of heightened Congressional attention given the integral role the industry plays in our economy. According to a 2015 U.S. Senate committee report, nearly one-third of reported cyber-attacks involve the energy sector. Not surprisingly, the 114th Congress (2015-2016) has introduced several pieces of legislation targeted towards enhancing the security of the nation’s energy infrastructure. Among the bills introduced were S. 1068 – An act to amend the Federal Power Act to protect the ...

President Obama Signs New Privacy Law – Judicial Redress Act

On February 24, 2016, President Obama signed into law the Judicial Redress Act giving citizens of certain “covered countries” access to U.S. courts to protect their privacy and take legal action against U.S. government agencies if their personal data is unlawfully disclosed.  The  Act provides that the U.S. Secretary of State, the Treasury Secretary and the Secretary of Homeland Security, will designate which countries and “regional economic integration organizations” (REIOs) will be “covered countries.”  To be designated, however, the countries and REIOs must ...

MVA Seminar - Privacy and Data Breach:  What Can Companies Expect in 2016?
PRIVACY AND DATA BREACH: WHAT CAN COMPANIES EXPECT IN 2016? (MARCH 16, 2016, SPEAKERS - KARIN MCGINNIS, TODD TAYLOR): 2016 promises to bring significant developments and challenges in information privacy and data security. Congress and state legislatures are continuing to focus on new laws to protect personal information while at the same time minimize the impact of cybersecurity threats. The Federal Trade Commission has made clear that it will continue to be a watchdog for privacy and data security violations affecting consumers, while at the same time the National Labor ...
Mobile Applications that Track User Information Have the FTC’s Attention

by Member Omari Sealy
Similar to website browsers, many mobile applications collect a variety of information from the user, including, the user’s identity, usage history, past log-ins, and location.  This enables the application to provide various functionality and to tailor features of the application for a better user experience (e.g., items retained in a shopping cart or targeted advertising).  These applications can be found in a variety of everyday devices such as smartphones, tablets, laptops, smart TVs, and even in some newer automobiles.  However, the enhanced ...

Inadequate OCR Technology and Policy Result in Few Consequences for Repeat HIPAA Violators

The Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) is the federal agency tasked with enforcing the Health Insurance Portability and Accountability Act (HIPAA). HIPAA, as most folks reading this know, requires health care providers and other covered entities to protect the privacy and security of an individual’s protected health information (PHI). OCR has broad enforcement authority and wide latitude in deciding how to handle complaints alleging violations of HIPAA’s privacy, security, and breach notification rules. OCR can resolve a ...

US and EU “Privacy Shield” Framework for Cross-Border Data Transfers Submitted to Article 29 Working Party Today

by Privacy & Data Security Member Karin McGinnis

On the same day that groundhog Punxsutawney Phil predicted an early Spring, the EU College of Commissioners brought some sunshine of its own, announcing yesterday that it has reached an agreement with the U.S. on transfers of personal  data from the EU to the U.S.  Details on the “Privacy Shield” are sketchy, and the EU Commission still must confer with the Article 29 Working Party and draft a decision document setting forth the terms.  But this is welcome news for companies on both sides of the pond.  More good news came today.  The Article ...

Reading the Section 5(a) Tea Leaves: What the end of 2015 may suggest about the FTC priorities in 2016

by Associate Breana Jeter

The end of 2015 represented a mixed bag for the Federal Trade Commission on privacy enforcement.  In November, the FTC’s Chief Administrative Law Judge dismissed the FTC’s complaint against LabMD for a possible data breach of 1,718 patients’ insurance claim information.  The patient’s sensitive information was discovered on peer-to-peer software by a data security company seeking to sell its services to LabMD.  While LabMD maintained that the patient’s information never left the company’s network and that there was no actual ...

Federal Trade Commission PrivacyCon 2016 Recap: Insights into the FTC’s Perspective on Privacy and Data Security

by Privacy & Data Security Member Karin McGinnis

The Federal Trade Commission’s PrivacyCon event brings together the FTC, researchers and academics to discuss the latest research and trends related to consumer privacy and data security.  Much of the discussion today centered on Big Data, coming on the heels of the FTC’s report, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, which can be found here.  Also prominent were concerns about web transparency and whether consumers in fact understand what data is collected on them and how it will be used.  FTC ...

IN DRAFTING COMPANY-ISSUED DEVICE AND BYOD POLICIES, DON’T FORGET THE WAGE AND HOUR ISSUES.

I’ve been holding my breath waiting for the decision by the U.S. District Court for the Northern District of Chicago in the Allen v. City of Chicago overtime collective action before giving you a blog post on this case. The trial concluded almost two months ago. Because I am starting to turn blue, and because the issue is an important one, I’m not waiting any longer.

The case involves claims by Chicago police officers in the Bureau of Organized Crime seeking pay for time spent off-duty checking and responding to emails, texts and phone calls on police department issued Blackberry’s ...

European Court of Justice Invalidates E.U. – U.S. Safe Harbor Framework

On October 6, 2015, the European Union's Court of Justice (the "ECJ") invalidated the E.U. – U.S. Safe Harbor Framework (the “Safe Harbor”) -- a data transfer arrangement upon which thousands of U.S. based companies have relied for legally transferring personal data outside of the European Union to the United States.   In order to better understand the likely impact of the ECJ’s decision, it may be useful to understand the original purpose behind the Safe Harbor.

Background on the Safe Harbor

Prior to the adoption of the Safe Harbor, legally transferring personally ...

Federal Cybersecurity Legislation Moving Quickly, But Is It In the Wrong Direction?

By:  Marcus Lee and Omari Sealy

Federal cybersecurity legislation seeking to establish a national standard for data protection and breach response is quickly working its way through the legislative process.  The bipartisan bill, formerly known as the Data Security And Breach Notification Act of 2015 (hereafter “cybersecurity bill”), was introduced into the U.S. Senate on April 16, 2015, by Sen. Tom Carper (D-Delaware) and Sen. Roy Blunt (R-Missouri).   According to the bill, it is intended to provide a “clear set of national standards that would help the prevention of and ...

User Beware: Facebook’s Internet.org Platform Considered to be “Privacy Nightmare”

By:  Tandy Blackburn and Mindy Vervais

On May 4, 2015, Facebook introduced Internet.org Platform, an open program for developers to create services that integrate with Internet.org.  However, many privacy advocates have deemed the Internet.org Platform to be a “privacy nightmare” for internet users in developing countries where Internet.org is offered.

Nearly a year ago, Facebook first introduced Internet.org and its companion mobile application, Internet.org App (“the App”) to the world, starting with the African country of Zambia.  Facebook has since introduced ...

NYC Jumps on Band Wagon Limiting Employer Use of Credit History in Making Employment Decisions

One of the earliest U.S. privacy laws applicable to private entities was the Fair Credit Reporting Act (FCRA), enacted in 1970.  The FCRA placed substantial requirements on the use of background checks and credit information for consumer and employment purposes.  Those requirements included the two universal tenets of privacy protections—notice (that information will be collected and used) and consent (to the collection and use).  In 2003, the Fair and Accurate Credit Transactions Act (FACTA) provided further protections for credit information, including proper disposal of ...

Former Uber Driver Files Class Action for Data Security Breach

Uber Technologies Inc., the internet-based taxi service, was recently hit with a putative class action lawsuit over a data breach involving the personal information of about 50,000 current and former drivers.  Uber develops, markets and operates a mobile app-based transportation network.  Its app allows consumers to submit a trip request that is then routed to crowd-sourced taxi drivers.  In March 2014, a hacker gained access to a database containing the names and driver's license numbers of tens of thousands of Uber drivers.  Uber knew of the data breach as early as September 2014 ...

MVA Seminar - Limiting Legal Liability for Potential Privacy and Data Security Issues: Practical Approaches to a Complex Problem
LIMITING LEGAL LIABILITY FOR POTENTIAL PRIVACY AND DATA SECURITY ISSUES: PRACTICAL APPROACHES TO A COMPLEX PROBLEM (APRIL 29, 2015):  You know that privacy and data security issues pose a huge risk for your company.  Regulatory penalties, litigation costs and recovery, and even just the cost of analyzing a data breach and sending out required notices can hurt a company’s bottom line not to mention its reputation.  Target’s breach cost the company over $148 million.  Fortunately, there are practical steps that your company can take now to limit liability when the inevitable ...
Proceed with Caution: Vehicle to Vehicle Communication Technology

Will the brave new world of automobiles include talking vehicles?  According to a plan by the National Highway Traffic Safety Administration (“NHTSA”), the answer is yes.  NHTSA has provided advanced notice that it intends to propose a rule http://www.nhtsa.gov/About+NHTSA/Press+Releases/NHTSA-issues-advanced-notice-of-proposed-rulemaking-on-V2V-communications  that all passenger cars and light trucks must have vehicle to vehicle (“V2V”) communication capability by 2019.  Many automakers are already incorporating some V2V technology in their ...

President Obama Proposes Legislation to Nationalize Data Breach Notification Standard

2014 was the year of the data breach as several large, high profile breaches occurred, including EBay, Target, and Home Depot, that affected the personal data of millions of Americans.  On January 12, 2015, President Obama announced his intention to introduce legislation (by way of Congress) to require notification to consumers when their personal data has been compromised by a data breach.  This proposed law, the Personal Data Notification & Protection Act, is part of a more comprehensive legislative agenda by the White House, including a consumer privacy bill of rights and a law to ...

An Early Christmas Present for Consumers?  Court Rules that Retailers Can Be Liable to Banks Arising from Data Breaches.

by Privacy & Data Security Members Karin McGinnis & Robert Sumner

Cyber-Monday sales weren’t the only good thing that happened for consumers this week.  Later in the week a federal judge in Minnesota thwarted Target’s attempt to dismiss a lawsuit brought by banks and credit unions arising out of the massive data breach last year.  Although the breach and access to the credit card information of some 40 million consumers resulted from hackers obtaining the password of a Target vendor who was accessing an unrelated subsystem, the banks and credit unions claimed that Target was liable ...

Apple Strengthens Privacy Protections

Apple recently changed its privacy policy which has made headlines – it will no longer unlock iPhones and iPads for law enforcement.  Prior to this change, Apple would assist law enforcement in unlocking Apple devices when presented with a valid subpoena or court order.

According to Apple’s CEO, Tim Cook, the company attempts to avoid collecting user data when it designs new technology and services.  The most recent version of Apple’s mobile device operating system, iOS 8, encrypts the data for all iOS 8 applications, such as email, call records, and iMessage, and this data is ...

Do Employees Have the Right to Access Social Media in the Workplace?  Can Employers Block Social Media Websites?

A Pew Foundation study earlier this year found that 87% of all adults in the United States access the Internet or email, either through computers or mobile devices.  The same study found that of those adults, as many as 74% are using some form of social media, including Facebook, Instagram, Twitter and LinkedIn.  Given those numbers, it’s no wonder that many employers are concerned with managing their employees’ use of social media at work.

The conventional wisdom among many employers has long been that access to social media can be harmful to worker productivity.  Visions of ...

Social Media Password Protection: Where are we now?

In just two years, social media password protection has gone from a privacy advocate’s dream to an employer’s harsh reality in many states.  Maryland became the first state (in 2012) to enact legislation that prevented employers from requesting the user names or passwords to an employee’s or applicant’s personal social media accounts.  Two states quickly joined Maryland in 2012 by passing similar password privacy laws, and nine more states added privacy protections in 2013.

So far in 2014, six states – Louisiana, New Hampshire, Oklahoma, Rhode Island, Tennessee and ...

Privacy & Data Security Update: Supreme Court Rules that Warrants are Required for Cell Phone Searches

[On June 27, 2014, Charlotte Privacy & Data Security Member Karin McGinnis and Senior Counsel Todd Taylor published the following update regarding the U.S. Supreme Court decision in Riley v. California, 573 U.S. ___ (2014)]   On June 25th, the Supreme Court brought the Fourth Amendment into the digital age with its ruling in Riley v. California.  The case presented the question of whether a warrant was required in order for law enforcement to search a cell phone found on a suspect during the course of an arrest.  Chief Justice Roberts, writing for a unanimous court, stated clearly “[o]ur ...

Social Media - Love it or leave it?

Social Media - Love it or leave it? Charlotte Privacy & Data Security Member Karin McGinnis was published in Business North Carolina’s 2014 Law Journal, which was included in the publication’s May issue.  Her article, “Love it or leave it?” examines the pros and cons of social media use among businesses, and the “key strategy” – a business’s social media policy.

"Social media, love it or leave it? Social media has become an indispensable part of business. There is no question that social media is an effective marketing tool. Statistics show that 14% of consumers do not ...

About Data Points: Privacy & Data Security Blog

The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. We provide transparent and cutting-edge insight on critical issues and dynamics. Our team informs business decision-makers about the information they must protect, and what to do if/when security is breached.

Interested in Other Topics?

Jump to Page

Subscribe To Our Newsletter

Subscribe

* indicates required

By using this site, you agree to our updated Privacy Policy and our Terms of Use.