In the much anticipated first annual review of the EU-US Privacy Shield program, the European Commission concluded that the program continues to provide adequate protection for personal information transferred from Europe to the United States. The Privacy Shield lets EU entities send personal information to participating US companies without running afoul of EU law – law which prohibits the exporting of personal information to entities located in countries whose laws were not deemed “adequate” (except in certain limited circumstances). The US has not been deemed to have “adequate” laws (only a few non-EU countries have been determined adequate, among them Canada, Israel, New Zealand, Switzerland and Uruguay). Continue Reading
A Florida court recently broke with other district courts in its circuit when it concluded that a plaintiff lacks standing to sue a defendant for mere technical violation of the Fair and Accurate Credit Transactions Act (FACTA) unless the plaintiff has been harmed. FACTA prohibits printing more than the last five digits of a credit card number or the expiration date on a receipt. In the case in question (Gesten v. Burger King Corp.) the plaintiff alleged that Burger King violated FACTA when it provided him with a receipt which identified his payment method as a debit card, identified the issuing company (e.g., Visa, American Express), and included the first six and last four digits of his account number. Continue Reading
Employees of Peacock Foods, an Illinois-based food product manufacturer, recently filed a lawsuit against their employer for alleged violations of Illinois’ Biometric Information Privacy Act. Under BIPA, companies that collect biometric information must inter alia have a written retention policy (that they follow). As part of the policy, the law states that they must delete biometric information after they no long need it, or three years after the last transaction with the individual. Companies also need consent to collect the information under the Illinois law, cannot sell information, and if shared must get consent for such sharing. Continue Reading
Nevada, Oregon and New Jersey recently passed laws focusing on the collection of consumer information, serving as a reminder for advertisers, retailers, publishers and data collectors to keep up-to-date, accurate and compliant privacy and information collection policies. Continue Reading
There were new developments regarding the Sabre cyber breach this past week, as the travel industry and the public are learning more about its scope and scale.
To recap, in early May, Sabre, Inc., which provides electronic travel booking services, disclosed that it was investigating “an incident of unauthorized access to payment information contained in a subset of hotel reservations processed through [its] Hospitality Solutions SynXis Central Reservations system.” That system serves 32,000 properties. Sabre stated that it had shut off the unauthorized access and had engaged a security forensics firm to investigate. Continue Reading
Two recent judgments against Dish Network LLC (“Dish”) for violations of the Telephone Consumer Protection Act (TCPA) and similar state and federal laws demonstrate the significant liability companies may face based on the actions of their third-party contractors. Dish has been ordered to pay a total of approximately $341 million in two separate federal court actions related to TCPA violations committed by its marketing service providers. Both cases underscore the importance of maintaining strong vendor oversight in the highly regulated telemarketing industry.judge Continue Reading
How The EU Data Privacy Regulation Will Affect American Companies’ Data Collection and Processing Practices – and Their Revenue
For American companies who do business in Europe or who process the personal data of EU residents, the world of data privacy and security is about to get much more complicated. While U.S. privacy law is unsettled, with rapidly proliferating state and federal laws and regulations and uncertainty as to how strictly they will be enforced, the rules in the European Union are tough and about to get much tougher. The General Data Protection Regulation (EU) 2016/679 (GDPR), slated to take effect in May 2018, will give consumers in the EU substantially more control over how their personal data is used. The increased control includes the right to:
- access any personal data that has been collected,
- obtain confirmation about whether an individual’s data is being processed, and
- require that the data be “erased” if the consumer withdraws consent.
On June 5, the Supreme Court agreed to review a case addressing an individual’s expectation of privacy in his or her historical cellphone location records. This case may well change the way we approach individual privacy in the digital age – not only with regard to cell phone records, but also information relating to email and internet activity, among other things. Continue Reading
On May 11, President Donald Trump issued his long-awaited Executive Order on cybersecurity, the ‘‘Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.’’ It had been in the works since early in the administration, and its release had been announced (and drafts leaked) several times, only to be pulled back and reworked further. The Executive Order calls for a government-wide review and analysis of federal information technology infrastructure, including known risks and vulnerabilities, as well as consideration of the U.S.’s cybersecurity capabilities in relation to the rest of the world. Continue Reading
This is not a drill.
Companies and law enforcement agencies around the world have been left scrambling after the world’s most prolific ransomware attack hit over 500,000 computers in 150 countries over a span of only 4 days. The ransomware – called WannaCry, WCry, WannaCrypt, or WannaDecryptor – infects vulnerable computers and encrypts all of the data. The owner or user of the computer is then faced with an ominous screen, displaying a countdown timer and demand that a ransom of $300 be paid in bitcoin before the owner can regain access to the encrypted data. The price demanded increases over time until the end of the countdown, when the files are permanently destroyed. To date, the total amount of ransom paid by companies is reported to be less than $60,000, indicating that companies are opting to let their files be destroyed and to rely instead on backups rather than pay the attackers. Nevertheless, the total disruption costs to businesses is expected to range from the hundreds of millions to the billions of dollars. Continue Reading