Data Points: Privacy & Data Security Blog

New Hampshire.  On March 6, 2024, New Hampshire Governor Chris Sununu signed the state’s first comprehensive consumer privacy bill into law. The New Hampshire Privacy Act (the “NHPA”) is now the fourteenth such law to be passed in the United States, joining likes of California, Oregon, Montana, Iowa, Indiana, and Tennessee, just to name a few. The NHPA is slated to take effect January 1, 2025 and will be enforced by the New Hampshire Attorney General.

Like many of its predecessors, the NHPA provides New Hampshire residents with rights to access, correct, and delete their personal ...

Last week we wrote about the California Court of Appeals’ February 9^th decision vacating the trial court’s June 2023 order delaying enforcement of the California Privacy Rights Act (“CPRA”).  After that decision, we were left to wonder whether the plaintiff, the California Chamber of Commerce (the “Chamber”), would pursue an appeal. This week we got our answer. On February 20^th the Chamber filed a petition with the California Supreme Court seeking review of the Court of Appeals’ decision.

The Chamber’s petition is unsurprising, given its staunch opposition to ...

On February 9, 2024, a California Court of Appeals vacated a June 2023 order delaying enforcement of the California Privacy Rights Act’s (CPRA) implementing regulations. It has been a long journey for the California Privacy Protection Agency (CPPA), which promulgated the regulations almost a year ago, on March 29, 2023. The CPPA planned to begin enforcement of the regulations as early as July 1, 2023, but last spring, the California Chamber of Commerce (Chamber) filed a lawsuit arguing for delayed enforcement. In June 2023, a California superior court ruled in favor of the ...

Last week, the White House issued an update on President Biden’s October 30, 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (the “AI EO” or “EO”). The update detailed the progress made on the EO directives, including among others, using the Defense Production Act to require AI companies to make specific reports on their AI systems to the government and proposing a rule that would require cloud companies to report foreign use of their services to train AI models and verify the identities of foreign customers. As ...

In July, Oregon’s governor signed into law the Oregon Consumer Privacy Act (“OCPA”), making Oregon the eleventh state to enact a comprehensive privacy law.  The OCPA goes into effect on July 1, 2024.  Covered business other than applicable non-profits must comply with the OCPA by that date.  Applicable non-profits will become subject to the OCPA on July 1, 2025.   

On June 30, 2023, a court in Sacramento issued an order enjoining enforcement of the implementing regulations promulgated by the California Privacy Protection Agency (CPPA) under the California Privacy Rights Act of 2020 (CPRA). If the order stands, enforcement will be delayed until March 29, 2024.

In June, Texas became the tenth state with a comprehensive privacy law. The Texas Data Privacy and Security Act (“TDPSA”) contains familiar provisions from other state privacy laws regulating the collection, use, processing, and treatment of consumers’ personal data, but also has Texas-specific provisions. The TDPSA will be effective as of July 1, 2024, allowing a one-year compliance period.

This month, Indiana, Montana and Tennessee passed comprehensive privacy laws. Each tracks closely the comprehensive privacy laws outside of California, but with some variations. None applies to employee data or has a private right of action.  All have cure rights. Tennessee uniquely provides an affirmative defense for controllers who follow the NIST privacy framework. Tennessee’s law will go into effect July 1, 2024, giving businesses just over a year to prepare to comply. Indiana’s law affords businesses more time to comply – it will not take effect until January 1, 2026. Montana’s law will go into effect October 1, 2024. Below is a summary of key points from each law.

Last week the Florida Senate passed its version of a comprehensive privacy law (SB 262), entitled the Florida Digital Bill of Rights. If signed by Governor DeSantis, the Digital Bill of Rights will require large companies (those with at least $1 billion in annual global gross revenues and who meet other metrics) to provide consumers with certain rights, including access, correction and deletion rights, opt-ins for processing of sensitive personal information and data of known children, and opting out of the collection of targeting advertising, profiling, and voice recognition data. Although the threshold for coverage is high, the obligations are significant, including reasonable security measures, fair information practices, data protection assessments, mandated data retention limits, specific disclosures if the controller is engaged in targeted advertising, and a controversial requirement for disclosure of search engine methodology. Although there is no private cause of action, the Florida Department of Legal Affairs can enforce the law and impose civil penalties up to $50,000 per violation with trebling in certain instances.

As artificial intelligence systems such as ChatGPT and Midjourney have become increasingly prominent, so have concerns about the effects that such programs may have on the economy and society at large. With more businesses incorporating artificial intelligence (“AI”) into their operations, these apprehensions about its use become more salient every day. While the potential uses of AI for innovation, automation, and streamlining tasks is great, the algorithms powering AI are not free from the biases reflected in the data and content that they are fed, creating risks of violating civil rights and consumer protection laws.

Iowa has become the latest state to enact a consumer privacy law, joining California, Colorado, Connecticut, Utah, and Virginia.  On March 28, Governor Kim Reynolds signed into law Senate File 262, which effective January 1, 2025, will provide Iowa consumers various protections over their personal data.  The law applies to businesses that either conduct business in Iowa or produce products or services targeting Iowa consumers AND that either controls or processes personal data of at least 100,000 consumers or controls or processes personal data of at least 25,000 consumers while deriving more than 50% of gross revenue from the sale of personal data.  Unlike California’s comprehensive privacy law, the Iowa statute does not have a revenue threshold for application of the statute.  The statute excludes from coverage financial institutions and affiliates and data subject to GLBA, and HIPAA covered entities, among others.

On March 29, 2023, Iowa’s governor made Iowa the sixth state with a comprehensive privacy law, following in the footsteps of California, Colorado, Connecticut, Virginia and Utah. The Iowa Act Relating to Consumer Data Protection (ICDP) goes into effect on January 1, 2025.

The ICDP (which can be found here: https://custom.statenet.com/public/resources.cgi?id=ID:bill:IA2023000S262&cuiq=8e04c833-ee30-5394-bd10-4b61a2d27686&client_md=d7215793292e6d8c9cb26a1382d8546d&mode=current_text )

is most similar to the Utah Consumer Privacy Act, although the ICDP ...

On August 11, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued a circular (Circular 2022-04 or, the “Circular”) addressing whether insufficient data and information security practices can violate the prohibition against unfair acts or practices in the Consumer Financial Protection Act (“CFPA”). The CFPB concluded that inadequate security practices could give rise to a claim not only under federal data security laws like the Gramm-Leach-Bliley Act (“GLBA”), but also under the CFPA as well. The Circular discusses the elements of a claim under the CFPA and identifies a few specific practices that the CFPB identified as likely giving rise to a violation of the CFPA. The Circular, however, does not otherwise provide direction to the industry on expected information security practices.

On May 29, 2022, Maryland amended the Maryland Personal Information Protection Act (PIPA). Effective October 1, 2022, the amendment (located here https://mgaleg.maryland.gov/2022RS/chapters_noln/Ch_502_hb0962E.pdf ) revises provisions regarding genetic information. These revisions include an undefined term “genetic information” for purposes of notices requires under PIPA. But the revisions also add a revised definition of genetic information as it applies to all other provisions of the law, including provisions requiring investigation into a data breach and the requirement that businesses implement and maintain reasonable security procedures and practices. Specifically, the revised definition includes data that results from the analysis of a biological sample of the individual or from another source that concerns genetic material and enables equivalent information to be obtained, DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms, and information extrapolated, derived or inferred from such data, unless the information is encrypted, redacted or otherwise protected by a method that renders the information unreadable or unusable. 

Late last month the Securities and Exchange Commission (“SEC”) charged JP Morgan, UBS and Trade Station with violations of Regulation S-ID based on a range of inadequacies in their identity theft red flag policies and procedures. https://www.sec.gov/news/press-release/2022-131 The violations at issue might seem less than critical, such as not updating policies, merely copying over examples of red flags from Reg S-ID’s Appendix A, not incorporating specific policies into the red flag program, covering all accounts instead of conducting specific account assessments, and not providing sufficient detail in board reports. Although the SEC did not note any failure by these broker-dealers and investment advisors to actually detect and respond to identity theft red flags, the resulting orders and fines (up to $1.2 million), underline the SEC’s seriousness about protecting investors from cybercrime by requiring broker dealers and investment advisors to up their game and focus on the details.

The American Data Privacy and Protection Act (the “ADPPA”), a bill that would establish a comprehensive federal data privacy framework in the U.S., was formally introduced in the U.S. House of Representatives on June 21, 2022. Should the ADPPA become law, the United States will join the European Union and a handful of other countries such as Canada, Brazil, and New Zealand, in having a comprehensive data protection framework on a national level.

The U.S. Equal Employment Opportunity Commission (“EEOC”) is tasked with administrative enforcement of a variety of employment discrimination laws, including the Americans with Disabilities Act as amended (the “ADAAA”). The ADAAA prohibits discrimination against job applicants and employees based on “disabilities”, generally defined as a physical or mental impairment that substantially limits the individual in a major life activity. Employers of employees with a disability are required to provide disabled employee with a reasonable accommodation to enable the employee to perform the essential functions of their job, unless the reasonable accommodation would impose an undue hardship on the employer or in certain instances where the employee would still pose a direct threat to the health or safety of themselves or others that cannot be addressed by a reasonable accommodation. It is interesting, therefore, that the EEOC issued Technical Assistance on May 12, 2022 entitled The American with Disabilities Act and the Use of Software, Algorithms and Artificial Intelligence to Assess Job Applicants and Employees. The stated concern is that use of AI tools will disadvantage job applicants and employees with disabilities.  

The EEOC’s Technical Assistance is not law. It is not even regulation. But it does signal how the EEOC might deal with charges of discrimination brought by applicants and employees based on an employer’s use of AI. 

On May 10, 2022, Connecticut became the fifth state in the U.S. to enact a comprehensive data privacy statute.

Effective July 1, 2023, the law imposes CCPA-like requirements on covered businesses. In scope and requirements, the law more closely mirrors Virginia’s and Colorado’s comprehensive privacy laws, effective January 1, 2023 and July 1, 2023, respectively. 

Effective July 1, 2022, owners of personally identifiable information on residents of Indiana must provide notice of a data breach no later than 45 days after discovering of the breach. Currently, Indiana’s data breach law requires notice of a breach “without unreasonable delay.” When the amendment goes into effect in July, the 45-day period will be the latest that notice can be given.

Utah recently became the fourth state in the United States, after California, Virginia and Colorado, to pass comprehensive privacy legislation. The Utah Consumer Privacy Act (the “UCPA”), passed by the Utah legislature as Senate Bill 227 and was signed by Governor Spencer Cox on March 24, 2022.

Invites to free webinars are not unsolicited advertisements, says Maryland federal court

The Telephone Consumer Protection Act (TCPA) prohibits sending an “unsolicited advertisement” to a fax machine, absent certain conditions. An “unsolicited advertisement” is “any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person” without prior permission.

On its face, the TCPA’s definition seemingly would not include invitations to free seminars or webinars. However, in 2006 the Federal ...

The saga of the Capital One data breach, which impacted an estimated 106 million individuals in the U.S. and Canada, may soon be coming to an end. After more than two years of litigation, the parties have reached a settlement that would resolve existing and future consumer claims arising out of the 2019 breach which impacted Capital One customer information stored in the Amazon Web Services (AWS) cloud environment. If the settlement is approved, it will be one of the largest in any multidistrict data breach litigation.

California federal court rejects plaintiff’s attempt to circumvent Facebook

In April 2021, the Supreme Court dealt a massive blow to Telephone Consumer Protection Act claims based on automatic telephone dialing systems restrictions in its Facebook, Inc. v. Duguid ruling. You can read more about the Facebook decision here. In short, Facebook significantly narrowed the definition of “automatic telephone dialing systems,” thereby eliminating TCPA liability for voice calls—or text messages—produced by those systems. Facebook, however, did not limit liability for calls that used a prerecorded or artificial voice. But because text messages do not use prerecorded or artificial voices, Facebook was considered to largely (but not completely) wipe out TCPA liability for text messages.

Today the Supreme Court issued an order staying the OSHA Emergency Temporary Standard (ETS) that would have required all employers with 100 or more employees to enforce Covid-19 vaccination or testing requirements. 

On September 9, 2021, the Biden Administration issued a variety of measures designed to promote COVID-19 safeguards and decrease the spread of the COVID-19 virus. Such measures included two Executive Orders and President Biden’s COVID-19 Action Plan, all three of which greatly impact employers of varying sizes and industries.

The legal issues surrounding COVID-19 vaccines and mandates on employees are not unique to the United States. Karin McGinnis, Co-head of Moore & Van Allen's Data Privacy Team and member of Employment & Labor and Litigation Teams, recently collaborated with 11 esteemed colleagues from Globalaw™ in creating an article examining the law on COVID-19 vaccines in the workplace across five continents.  

You can find the article here. 

For questions and specific guidance regarding workplace vaccination regulations, contact Karin at the below link.

Resolving a split in lower courts, the U.S. Supreme Court issued a ruling in June limiting the type of conduct that can be prosecuted under the federal Computer Fraud and Abuse Act of 1986 (CFAA), a statute often used by U.S. Attorneys to prosecute hackers. In a 6-3 decision, SCOTUS ruled in Van Buren v. United States that Section 1030(a)(2) of the CFAA does not impose liability on individuals who use a computer to alter or obtain information they otherwise are entitled to obtain, even when they access the information for a prohibited purpose. In so ruling, SCOTUS limited a powerful federal ...

Colorado is now the third state in the U.S. to pass comprehensive privacy legislation, following in the footsteps of California and Virginia. The Colorado Privacy Act (the “CPA”), passed by the state’s General Assembly as SB 190, is currently awaiting signature by Governor Jared Polis. If signed, the CPA will become effective July 1, 2023. 

The CPA includes a mix of concepts similar to those found in other comprehensive privacy legislation passed in the U.S. (e.g., the California Consumer Privacy Act (the “CCPA”) and Virginia’s Consumer Data Protection Act (the ...

The U.S. Equal Employment Opportunity Commission (EEOC) on May 28, 2021 issued updated guidance on vaccinations. The relevant excerpts are attached and the full EEOC guidance is here https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws

In short:

• During the pandemic, employers can mandate that employees receive the COVID 19, subject to exceptions such as required accommodations for persons with disabilities (see K5);
• Employers can require employees to provide the employer documentation showing that ...

Last month, the Supreme Court resolved a long-standing circuit split over the definition of an “automatic telephone dialing system” (ATDS) under the Telephone Consumer Protection Act (TCPA). The highly-anticipated decision in Facebook v. Duguid narrowed the type of equipment that constitutes an ATDS, and therefore drastically limited the scope of “automated” calls and texts that violate the TCPA.  

The Employee Benefits Security Administration of the United States Department of Labor (“EBSA”)  recently published guidance regarding cybersecurity best practices for recordkeepers and service providers responsible for plan related information technology systems and data for ERISA-covered plans, including 401k and other pension plans.

The EBSA counseled that a plan’s service providers should implement the following practices:

1. Have a formal, well documented cybersecurity program.
2. Conduct prudent annual risk assessments.
3. Have a reliable annual third-party ...

Virginia’s Consumer Data Protection Act makes it the second state to pass a comprehensive data privacy law.

The California Privacy Rights Act of 2020 (“CPRA”) was approved during the California Statewide General Election as Proposition 24 on November 3, 2020. This means the California Consumer Privacy Act (“CCPA”) will be amended to the California Privacy Rights Act, which includes the establishment of a new privacy enforcement agency, new definitions for sensitive data with limits on use and sharing, and expanded breach liability. 

The CPRA will enter into force on January 1, 2023 and, apart from the right to access, will apply to personal information collected by businesses back to January 1, 2022.

Businesses are facing this system hack with ever-increasing frequency:  An accounts payable employee receives new or updated payment instructions from a vendor via email.  The email appears to be from a familiar counterpart at the vendor; it contains accurate details specific to a current transaction; the new bank is well known; and the new instructions have the vendor’s name, or a version of it, as the beneficiary.

For more background on the Washington Privacy Act, see: Washington State Legislature Takes Another Shot At a Consumer Data Privacy Law (DataPoints, 1/22/2020)

Senate Bill 6281, the Washington Privacy Act, passed out of the Senate on February 14 and moved to the House of Representatives where it is expected to run up against some skepticism and questions. 

The bill was drafted to help bring Washington state more in line with California’s and the EU’s data privacy regulation efforts, in the absence of comprehensive privacy regulation at the federal level.  The Act places ...

Following an unsuccessful attempt last year at passing a comprehensive data privacy bill, the Washington State Legislature is hoping the second time’s the charm. Senate Bill 6281, this session’s updated version of The Washington Privacy Act, is based on the best practices taken from the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) which went into effect on January 1 of this year. Although last year’s effort fizzled in Washington’s House of Representatives after passing the Senate 46-1, SB 6281 has been ...

Facebook is at the center of the “Schrems” case, which exposed contradictions between U.S. and EU data privacy rules and toppled the U.S./EU Safe Harbor (Schrems I). In Schrems II, Austrian Max Schrems challenges the adequacy of standard contractual clauses and the Privacy Shield (the replacement to the Safe Harbor).  A recent opinion in Schrems II questions the adequacy of privacy protections guaranteed by the U.S. but for now preserves the Privacy Shield and standard contractual clauses as potential adequate means of transferring personal data from the EU to the U.S.

The ...

By Suzanne Gainey and Tandy Mathis.  On October 10, California Attorney General Xavier Becerra announced that the long-awaited proposed regulations implementing the California Consumer Privacy Act (“CCPA”) are available for public comment.  Although the regulations are not yet final, they do provide some visibility into what the Attorney General will expect from businesses that are subject to the CCPA.  While the proposed regulations add some clarity to the (sometimes unclear) language of the CCPA, the regulations also raise new questions about the application of the CCPA ...

Earlier we posted an article regarding the amendments to the California Consumer Privacy Act by AB 25 and AB1355 creating a moratorium on the application of much of the CCPA to employee personal information—subject to approval by California’s governor. Pleased to report that Governor Newsom approved both AB25 and AB1355 and therefore the moratorium will be in effect until January 1, 2021. Some welcome relief to businesses trying to comply with the CCPA’s requirements.

The California Consumer Privacy Act (CCPA) imposes significant protections for California residents covered by the law, and significant burdens for companies required to comply with it.    One area of concern is whether the CCPA applied to employee data collected by a business.  The language of the CCPA was unclear, but was open to the interpretation that its protections covered such data.  With an effective date of January 1, 2020, employers have been watching to see if the California legislature would clear up the uncertainty.  The good news is that for at least until January 1, 2021, most ...

As anticipated, today New York’s governor signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) discussed in our recap of US data breach laws enacted in the first half of 2019. The bill passed the state senate by a margin of 41 – 21. The law updates the body of law governing data breaches in New York by increasing the scope of information subject to current data breach notification laws and expanding notification requirements.

A few weeks ago, Texas signed into law an amendment to its data breach law, capping off a busy first half of 2019 for state lawmakers in this arena.  As we gear up for the second half of 2019, we thought a recap was worthwhile.  The legislation reflects a number of trends, including increasing obligations on consumer reporting agencies (CRAs) to protect consumers (no doubt in part a reaction to the Equifax breach), and updating data breach notice and reporting to provide more transparency and more information to consumers to protect their data, and to update older laws to address ...

On April 16, 2019, Representatives Saine, Jones and Reives introduced House Bill 904, the long anticipated amendments to the North Carolina Identity Theft Protection Act, N.C. Gen. Stat. § 75-61 et seq.. We first wrote about the proposed legislation in February 2018 [Two Proposed Data Security Laws Reflect National Trend Toward Affirmative Responsibilities]. The bill also amends the definition of identifying information in North Carolina’s criminal identity theft statute, N.C. Gen. Stat. § 14-113.20(b), adopted by reference in the Identity Theft Protection Act’s ...

Following in the footsteps of California, and the European Union’s General Data Protection Regulation, the State of Washington is taking steps to adopt a comprehensive privacy law focused on protecting consumer information. SB 5376, better known as the Washington Privacy Act, passed in the Washington State Senate on March 6, 2019 by a vote of 46 to 1 and had a public hearing in the Washington State House Committee on Innovation, Technology & Economic Development on March 22, 2019.

The bill has also received support from Microsoft General Counsel and former U.S. FTC Commissioner ...

Today, the Illinois Supreme Court unanimously held that actual harm was not a necessary component of proving a breach of the state’s Biometric Information Privacy Act.  This ruling found that Stacy Rosenbach, the mother of a minor whose thumbprint was collected by Six Flags as part of a season pass holder purchase, can be considered an “aggrieved person” under the state’s biometric privacy law without alleging that her child’s data was stolen or misused.

This decision is significant because Illinois has the nation’s only biometric privacy law with a private right of ...

As cybersecurity attacks have continued to gain prominence as a threat posing critical risk management and compliance challenges for financial institutions, the Securities and Exchange Commission (SEC) has emerged as an active federal regulator in this arena. In September 2017, the SEC announced creation of a Cyber Unit housed within the SEC’s Enforcement Division that targets cyber-related misconduct, including hacking to obtain material nonpublic information, intrusions into retail brokerage accounts, and cyber-related threats to trading platforms and other ...

Tuesday, September 4, 2018 marked the New York State Department for Financial Service’s deadline for compliance with several sections of cybersecurity regulation 23 NYCRR 500 (the “Regulation”).  The Regulation covers any organization that operates (or is required to operate) under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law (Title 3 of the NYCRR), the Insurance Law (Title 11 of the NYCRR), or the Financial Services Law (Title 23 or the NYCRR) (a “Covered Entity”).  This is the third compliance ...

By Bret Buckler and Todd Taylor
Recently the state of California passed a data privacy and security law called the California Consumer Privacy Act (“CCPA”) (Assembly Bill 375, found here).

The law, which takes effect on January 1, 2020, is aimed at establishing a defined set of rights for consumers with regard to how their personal information is being collected and used.  The political push for the law comes on the heels of a contentious few months where tech giants such as Facebook have admitted to potentially problematic data breaches and oversharing of personal information ...

Now that the cameras have gone, the booster cushion has been removed from the witness chair, and Mark Zuckerberg is comfortably back in in Palo Alto, having survived his marathon two-days of testimony in front of a somewhat confused Congress, what’s next? 

Regulations  

Following the revelations that a political marketing firm, Cambridge Analytica, improperly obtained personal information from approximately 87 million Facebook user profiles (including even Mark Zuckerberg’s!), Congress has more support than ever to regulate Facebook and other social media tech.  On his ...

By Tandy Mathis

On Friday, March 23, 2018, Congress passed a 2,232 page omnibus spending bill. Included in the bill was a bipartisan act known as the “Clarifying Lawful Overseas Use of Data Act” or CLOUD Act, which will allow United States law enforcement to access the data stored abroad for U.S. citizens and will provide some relief to foreign law enforcement agencies to access the data of their citizens when that data is stored in the U.S..

The CLOUD Act Overhauls an Outdated Stored Communications Act (SCA) and an Overburdened Mutual Legal Assistance Treaty (MLAT) Act

At its core ...

By Nathan White

According to the recently released North Carolina Attorney General Security Breach Report, nearly 5,337,154 North Carolinians were impacted by security breaches in 2017.  The Report highlights several trends data protection specialists and North Carolina businesses should take into consideration.

The report breaks down 1,022 data breaches occurring in North Carolina during calendar year 2017.  For the first time since reporting was required in 2005, hacking constituted a slight majority of the reported breaches at 50.49%.  This reflects a continuing trend of ...

With major consumer data breaches making headlines on a semi-regular basis, legislators around the country are starting to hold businesses more accountable for cybersecurity compliance.  Industry-specific laws such as HIPAA and the Gramm-Leach-Bliley Act (GLBA) already establish federal data security standards for some companies, and the Federal Trade Commission has taken the position that failure to have reasonable security measures is a violation of the FTC Act (see our DataPoints post here). 

From Massachusetts to New Mexico, a handful of state legislatures also have ...

On August 17, 2017, Delaware amended its personal information protection law, Delaware Code Title 6, Chapter 12B.  The amendment becomes effective 240 days after enactment or March 14, 2018. The amended law significantly enhances the protections afforded Delaware residents whose personal information has been – or is reasonably believed to have been – breached, by adding obligations on the part of a person or entity who conducts business in Delaware or owns, licenses and maintains “personal information” as the Delaware law defines the term. The major changes to the law are ...

By Nathan A. White

Can the government force the hosting service of an activist website company to turn over vast amounts of user data in order to track down political protesters?  According to a federal court ruling, the answer  -- Yes, but let’s slow this train down a little bit.  On Thursday, August 24, 2017, District of Columbia Superior Court Chief Judge Robert E. Morin ordered DreamHost to comply with a search warrant issued by the Department of Justice on July 12, 2017 seeking IP addresses and other data of visitors to “disruptj20.org” website hosted by DreamHost.  Disruptj20 ...

By Bill Butler

Recently, the D.C. Circuit Court of Appeals ruled in Attias v. CareFirst, Inc., No. 16-7108, that customers had standing to sue a health insurer for a 2014 data breach in which the customers’ information was stolen.  In reversing the district court’s dismissal of the class action, the D.C. Circuit held that the customers’ allegations that the hackers accessed and took their Social Security numbers, credit card numbers, and health insurance subscriber ID numbers were each independently sufficient to show actual or imminent injury.  The customers’ complaint ...

PRIVACY AND DATA SECURITY IN THE TRUMP ERA: HOW TO TALK TO THE FBI AND YOUR IT DEPARTMENT IN A DATA BREACH (MAY 24, 2017): Effectively responding to a data breach requires clear communication with a web of internal and external groups. Two important groups are law enforcement and a company’s internal IT department. With the help of an FBI agent and an IT professional, this seminar will explore how to effectively work with these two groups to address a breach. Wednesday, May 24, 2017 11:30 AM - 1:00 PM. Register here.

Recently the state of New Mexico enacted the Data Breach Notification Act, making it the 48th state in the United States to enact a statute requiring notice to individuals impacted by a data breach. In doing so, New Mexico follows some trends we've been predicting at the state level.  These trends include covering encrypted data in the definition of personal information if the encryption key is accessed as well, and – importantly – requiring that companies engage in reasonable security measures to protect personal information in their possession. New Mexico also joins a handful of ...

By Bill Butler

In August 2016, the Federal Trade Commission (“FTC”) addressed the effect of the Cybersecurity Framework (“NIST Framework”) issued by the National Institute of Standards and Technology on FTC enforcement actions under Section 5 of the FTC Act.  While there have been few enforcement actions to gauge the actual impact of the NIST Framework, the FTC’s recent public comment on the National Telecommunications and Information Administration’s (“NTIA”) proposed “coordinated vulnerability disclosure” template (“Template”) further ...

We don’t see a lot of data breach litigation here in the Fourth Circuit, so it is notable that the Fourth Circuit Court of Appeals issued an opinion recently that weighs in on the standing debate (For more on the debate: Constitutional Standing Provides Fertile Battleground In Data Breach Litigation). In Beck v. McDonald, the plaintiffs in two consolidated cases sought to establish Article III standing based on the harm from embarrassment, mental distress, inconvenience, the increased risk of future identity theft and the cost of measures to protect against it after (i) a ...

By Tandy Mathis, Elena Mitchell, and Mindy Vervais

Did you know that if you’ve taken a New York City taxi since 2009, your pick-up and drop-off locations were recorded and published (through June of 2016) on the internet for anyone to find? Now, New York City officials want ride-sharing companies like Uber and Lyft to start providing drop-off and pick-up location data, too.

The New York City Taxi and Limousine Commission, or TLC, currently collects all kinds of trip data from New York City taxis—including pick-up and drop-off dates and times, coordinates of the start and end ...

Saturday January 28, 2017 is Data Privacy Day.  The Moore & Van Allen Privacy and Data Security group took a break from the pre-holiday revelries to put together some thoughts and tips for DataPoints.  So hoist a glass and enjoy this read, and try not to ponder too long the irony that Data Privacy Day falls on the same day as China’s New Year’s celebration.  Cheers!

• Update vendor contracts. Make sure that contracts include required data security and privacy requirements. Some older laws and regulations already impose specific data security and privacy standards for certain industries ...

By Leslie Pedernales

A professional football team clinches their playoff spot in an upset game, then hits the locker room for a celebration and an inspirational pep talk from their winning coach.  The perfect application for livestreaming, one might think.  Opening a window into this mysterious world for all the rest of us to see and experience.  Not so fast.

After the Pittsburgh Steelers upset the Kansas City Chiefs in the AFC playoff game on January 15, Steelers wide receiver Antonio Brown invited the world into the Steelers’ locker room to join in the celebration through Facebook ...

A common and understandable concern of companies that suffer a data breach is whether the victims can sue the company.  It is tempting to assume that the victims won’t sue if they do not suffer identity theft or monetary loss through misuse of the data.  Not all victims, or courts, agree.  As a result, standing, a constitutional prerequisite to bringing a lawsuit in federal court that is most often conceded rather than litigated, has become a focal point in data breach litigation where “risk of future harm,” rather than actual misuse of data, forms the basis of the victims’ claims.

To ...

On November 10^th, the Eleventh Circuit Court of Appeals handed an embarrassing defeat to the Federal Trade Commission and an early Christmas present to LabMD, Inc. in the ongoing David and Goliath battle between the government agency and the new-defunct clinical lab.

What Happened?

It’s not easy to explain in a blog entry the complex backstory leading up to LabMD’s recent win, but here goes:

Over a thirteen year period (until it ceased business in 2014), LabMD operated a clinical laboratory that performed tests on patient specimen samples.  As part of its operations, LabMD had ...

By Leslie Pedernales

The upcoming presidential election between two larger-than-life characters, each capable of stirring intense emotional reactions from both sides, is sure to produce some spirited debate around the water cooler this fall.  Many employees mistakenly assume that their expression of political speech (including nonverbal expression such as buttons or signs) is protected by the First Amendment of the U.S. Constitution.  However, it might surprise you to learn that employers generally have the right to regulate employee political speech – the level of that ...

On August 1, 2016, the U.S. Department of Commerce began accepting self-certification applications for the new EU-U.S. Privacy Shield Framework.  In the month that has followed over 100 companies (including Microsoft, Oracle and Salesforce, among others) have self-certified that they are in compliance with the EU-U.S. Privacy Shield.

Now that that Privacy Shield is in effect and gaining acceptance, it is a good time for companies to examine whether the Privacy Shield makes sense for them.  To answer that question, it is important to understand some basic facts about the Privacy ...

The Federal Trade Commission, continuing its quest to be the enforcer of consumer privacy rights, has come down hard this month on ASUSTeK and LabMD for their failure to have adequate data security standards. Because the FTC has taken the position that its complaints and orders set the standard for adequate data security (DataPoints: Reading the Section 5(a) Tea Leaves: What the end of 2015 may suggest about the FTC priorities in 2016), companies subject to FTC jurisdiction should take heed.

LabMD cannot seem to catch a break. Although an ALJ dismissed the FTC’s claim against LabMD ...

Robert Sumner IV and Brandon Gaskins

On April 14, 2016, the European Parliament passed the General Data Protection Regulation (GDPR) and its companion, Data Protection Directive for Police and Criminal Justice Authorities.  The GDPR is a comprehensive regulation that includes new and enhanced privacy rights for European Union (EU) citizens, such as “the right to be forgotten” and the right to object to data processing, including data profiling.  The GDPR also establishes new and heightened obligations for companies doing business in the EU related to the collection, use, and ...

EU Member States (the Article 31 Committee)  approved today the EU-US Privacy Shield.  The next step is formal adoption.  The full press release can be found here.

The approval of the Privacy Shield is good news for companies who transfer personal data from the EU to the US. Although legal challenges to the Privacy Shield are likely, the Privacy Shield was designed to address the shortcomings cited by the European Court of Justice in the now invalidated Safe Harbor self-certification scheme and should have a better chance of standing up to those legal challenges.

Related DataPoints Posts:

Tandy Mathis and Karin McGinnis

Good information governance requires not only protecting the security of sensitive and proprietary information; it often requires pursuing legal action against those who threaten the secrecy and value of a company’s trade secrets.  The Defense of Trade Secrets Act (“DTSA”) both provides another tool for companies to pursue misappropriators of trade secrets and makes it more difficult for companies to quickly seize misappropriated trade secrets through court action.  Given the challenges of the DTSA, companies should bolster their efforts ...

On June 13, 2016, the United States government asked the Irish High Court to be joined as amicus curiae (friend of the court) in the case brought by the Austrian privacy activist Max Schrems against Facebook attacking the use of model contract clauses to transfer EU citizens’ data from the EU to the U.S. as violating fundamental privacy rights. This is an unusual request for the U.S. government to seek to intervene in private ligation, particularly in foreign courts. However, the stakes are high should Facebook lose, and the U.S. government’s surveillance practices are at the ...

THE NUTS AND BOLTS OF DATA SECURITY PROGRAMS: HOW TO PUT ONE TOGETHER FOR YOUR COMPANY (JUNE 2016): Privacy and data security issues impact every industry and affect almost all aspects of a company’s operations. Sales, human resources, data maintenance and storage, IT, legal and compliance, even litigation, all require careful attention to protecting the privacy of personal information as well as preserving the integrity of company, customer or third party data. Moore & Van Allen developed the Privacy & Data Security Seminar Series 2016 to help our clients and friends of the ...

• What should I expect after a ...

Cybersecurity of the electric power grid and energy sector as a whole has been the subject of heightened Congressional attention given the integral role the industry plays in our economy. According to a 2015 U.S. Senate committee report, nearly one-third of reported cyber-attacks involve the energy sector. Not surprisingly, the 114th Congress (2015-2016) has introduced several pieces of legislation targeted towards enhancing the security of the nation’s energy infrastructure. Among the bills introduced were S. 1068 – An act to amend the Federal Power Act to protect the ...

On February 24, 2016, President Obama signed into law the Judicial Redress Act giving citizens of certain “covered countries” access to U.S. courts to protect their privacy and take legal action against U.S. government agencies if their personal data is unlawfully disclosed.  The  Act provides that the U.S. Secretary of State, the Treasury Secretary and the Secretary of Homeland Security, will designate which countries and “regional economic integration organizations” (REIOs) will be “covered countries.”  To be designated, however, the countries and REIOs must ...

by Member Omari Sealy
Similar to website browsers, many mobile applications collect a variety of information from the user, including, the user’s identity, usage history, past log-ins, and location.  This enables the application to provide various functionality and to tailor features of the application for a better user experience (e.g., items retained in a shopping cart or targeted advertising).  These applications can be found in a variety of everyday devices such as smartphones, tablets, laptops, smart TVs, and even in some newer automobiles.  However, the enhanced ...

The Office for Civil Rights within the U.S. Department of Health and Human Services (OCR) is the federal agency tasked with enforcing the Health Insurance Portability and Accountability Act (HIPAA). HIPAA, as most folks reading this know, requires health care providers and other covered entities to protect the privacy and security of an individual’s protected health information (PHI). OCR has broad enforcement authority and wide latitude in deciding how to handle complaints alleging violations of HIPAA’s privacy, security, and breach notification rules. OCR can resolve a ...

by Privacy & Data Security Member Karin McGinnis

On the same day that groundhog Punxsutawney Phil predicted an early Spring, the EU College of Commissioners brought some sunshine of its own, announcing yesterday that it has reached an agreement with the U.S. on transfers of personal  data from the EU to the U.S.  Details on the “Privacy Shield” are sketchy, and the EU Commission still must confer with the Article 29 Working Party and draft a decision document setting forth the terms.  But this is welcome news for companies on both sides of the pond.  More good news came today.  The Article ...

by Associate Breana Jeter

The end of 2015 represented a mixed bag for the Federal Trade Commission on privacy enforcement.  In November, the FTC’s Chief Administrative Law Judge dismissed the FTC’s complaint against LabMD for a possible data breach of 1,718 patients’ insurance claim information.  The patient’s sensitive information was discovered on peer-to-peer software by a data security company seeking to sell its services to LabMD.  While LabMD maintained that the patient’s information never left the company’s network and that there was no actual ...

by Privacy & Data Security Member Karin McGinnis

The Federal Trade Commission’s PrivacyCon event brings together the FTC, researchers and academics to discuss the latest research and trends related to consumer privacy and data security.  Much of the discussion today centered on Big Data, coming on the heels of the FTC’s report, Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues, which can be found here.  Also prominent were concerns about web transparency and whether consumers in fact understand what data is collected on them and how it will be used.  FTC ...

I’ve been holding my breath waiting for the decision by the U.S. District Court for the Northern District of Chicago in the Allen v. City of Chicago overtime collective action before giving you a blog post on this case. The trial concluded almost two months ago. Because I am starting to turn blue, and because the issue is an important one, I’m not waiting any longer.

The case involves claims by Chicago police officers in the Bureau of Organized Crime seeking pay for time spent off-duty checking and responding to emails, texts and phone calls on police department issued Blackberry’s ...

On October 6, 2015, the European Union's Court of Justice (the "ECJ") invalidated the E.U. – U.S. Safe Harbor Framework (the “Safe Harbor”) -- a data transfer arrangement upon which thousands of U.S. based companies have relied for legally transferring personal data outside of the European Union to the United States.   In order to better understand the likely impact of the ECJ’s decision, it may be useful to understand the original purpose behind the Safe Harbor.

Background on the Safe Harbor

Prior to the adoption of the Safe Harbor, legally transferring personally ...

By:  Marcus Lee and Omari Sealy

Federal cybersecurity legislation seeking to establish a national standard for data protection and breach response is quickly working its way through the legislative process.  The bipartisan bill, formerly known as the Data Security And Breach Notification Act of 2015 (hereafter “cybersecurity bill”), was introduced into the U.S. Senate on April 16, 2015, by Sen. Tom Carper (D-Delaware) and Sen. Roy Blunt (R-Missouri).   According to the bill, it is intended to provide a “clear set of national standards that would help the prevention of and ...

By:  Tandy Blackburn and Mindy Vervais

On May 4, 2015, Facebook introduced Internet.org Platform, an open program for developers to create services that integrate with Internet.org.  However, many privacy advocates have deemed the Internet.org Platform to be a “privacy nightmare” for internet users in developing countries where Internet.org is offered.

Nearly a year ago, Facebook first introduced Internet.org and its companion mobile application, Internet.org App (“the App”) to the world, starting with the African country of Zambia.  Facebook has since introduced ...

One of the earliest U.S. privacy laws applicable to private entities was the Fair Credit Reporting Act (FCRA), enacted in 1970.  The FCRA placed substantial requirements on the use of background checks and credit information for consumer and employment purposes.  Those requirements included the two universal tenets of privacy protections—notice (that information will be collected and used) and consent (to the collection and use).  In 2003, the Fair and Accurate Credit Transactions Act (FACTA) provided further protections for credit information, including proper disposal of ...

Uber Technologies Inc., the internet-based taxi service, was recently hit with a putative class action lawsuit over a data breach involving the personal information of about 50,000 current and former drivers.  Uber develops, markets and operates a mobile app-based transportation network.  Its app allows consumers to submit a trip request that is then routed to crowd-sourced taxi drivers.  In March 2014, a hacker gained access to a database containing the names and driver's license numbers of tens of thousands of Uber drivers.  Uber knew of the data breach as early as September 2014 ...

LIMITING LEGAL LIABILITY FOR POTENTIAL PRIVACY AND DATA SECURITY ISSUES: PRACTICAL APPROACHES TO A COMPLEX PROBLEM (APRIL 29, 2015):  You know that privacy and data security issues pose a huge risk for your company.  Regulatory penalties, litigation costs and recovery, and even just the cost of analyzing a data breach and sending out required notices can hurt a company’s bottom line not to mention its reputation.  Target’s breach cost the company over $148 million.  Fortunately, there are practical steps that your company can take now to limit liability when the inevitable ...

Will the brave new world of automobiles include talking vehicles?  According to a plan by the National Highway Traffic Safety Administration (“NHTSA”), the answer is yes.  NHTSA has provided advanced notice that it intends to propose a rule http://www.nhtsa.gov/About+NHTSA/Press+Releases/NHTSA-issues-advanced-notice-of-proposed-rulemaking-on-V2V-communications  that all passenger cars and light trucks must have vehicle to vehicle (“V2V”) communication capability by 2019.  Many automakers are already incorporating some V2V technology in their ...

2014 was the year of the data breach as several large, high profile breaches occurred, including EBay, Target, and Home Depot, that affected the personal data of millions of Americans.  On January 12, 2015, President Obama announced his intention to introduce legislation (by way of Congress) to require notification to consumers when their personal data has been compromised by a data breach.  This proposed law, the Personal Data Notification & Protection Act, is part of a more comprehensive legislative agenda by the White House, including a consumer privacy bill of rights and a law to ...

by Privacy & Data Security Members Karin McGinnis & Robert Sumner

Cyber-Monday sales weren’t the only good thing that happened for consumers this week.  Later in the week a federal judge in Minnesota thwarted Target’s attempt to dismiss a lawsuit brought by banks and credit unions arising out of the massive data breach last year.  Although the breach and access to the credit card information of some 40 million consumers resulted from hackers obtaining the password of a Target vendor who was accessing an unrelated subsystem, the banks and credit unions claimed that Target was liable ...

Apple recently changed its privacy policy which has made headlines – it will no longer unlock iPhones and iPads for law enforcement.  Prior to this change, Apple would assist law enforcement in unlocking Apple devices when presented with a valid subpoena or court order.

According to Apple’s CEO, Tim Cook, the company attempts to avoid collecting user data when it designs new technology and services.  The most recent version of Apple’s mobile device operating system, iOS 8, encrypts the data for all iOS 8 applications, such as email, call records, and iMessage, and this data is ...

A Pew Foundation study earlier this year found that 87% of all adults in the United States access the Internet or email, either through computers or mobile devices.  The same study found that of those adults, as many as 74% are using some form of social media, including Facebook, Instagram, Twitter and LinkedIn.  Given those numbers, it’s no wonder that many employers are concerned with managing their employees’ use of social media at work.

The conventional wisdom among many employers has long been that access to social media can be harmful to worker productivity.  Visions of ...

In just two years, social media password protection has gone from a privacy advocate’s dream to an employer’s harsh reality in many states.  Maryland became the first state (in 2012) to enact legislation that prevented employers from requesting the user names or passwords to an employee’s or applicant’s personal social media accounts.  Two states quickly joined Maryland in 2012 by passing similar password privacy laws, and nine more states added privacy protections in 2013.

So far in 2014, six states – Louisiana, New Hampshire, Oklahoma, Rhode Island, Tennessee and ...

[On June 27, 2014, Charlotte Privacy & Data Security Member Karin McGinnis and Senior Counsel Todd Taylor published the following update regarding the U.S. Supreme Court decision in Riley v. California, 573 U.S. ___ (2014)]   On June 25^th, the Supreme Court brought the Fourth Amendment into the digital age with its ruling in Riley v. California.  The case presented the question of whether a warrant was required in order for law enforcement to search a cell phone found on a suspect during the course of an arrest.  Chief Justice Roberts, writing for a unanimous court, stated clearly “[o]ur ...

Social Media - Love it or leave it? Charlotte Privacy & Data Security Member Karin McGinnis was published in Business North Carolina’s 2014 Law Journal, which was included in the publication’s May issue.  Her article, “Love it or leave it?” examines the pros and cons of social media use among businesses, and the “key strategy” – a business’s social media policy.