Nevada, Oregon and New Jersey recently passed laws focusing on the collection of consumer information, serving as a reminder for advertisers, retailers, publishers and data collectors to keep up-to-date, accurate and compliant privacy and information collection policies. Continue Reading
There were new developments regarding the Sabre cyber breach this past week, as the travel industry and the public are learning more about its scope and scale.
To recap, in early May, Sabre, Inc., which provides electronic travel booking services, disclosed that it was investigating “an incident of unauthorized access to payment information contained in a subset of hotel reservations processed through [its] Hospitality Solutions SynXis Central Reservations system.” That system serves 32,000 properties. Sabre stated that it had shut off the unauthorized access and had engaged a security forensics firm to investigate. Continue Reading
Two recent judgments against Dish Network LLC (“Dish”) for violations of the Telephone Consumer Protection Act (TCPA) and similar state and federal laws demonstrate the significant liability companies may face based on the actions of their third-party contractors. Dish has been ordered to pay a total of approximately $341 million in two separate federal court actions related to TCPA violations committed by its marketing service providers. Both cases underscore the importance of maintaining strong vendor oversight in the highly regulated telemarketing industry.judge Continue Reading
How The EU Data Privacy Regulation Will Affect American Companies’ Data Collection and Processing Practices – and Their Revenue
For American companies who do business in Europe or who process the personal data of EU residents, the world of data privacy and security is about to get much more complicated. While U.S. privacy law is unsettled, with rapidly proliferating state and federal laws and regulations and uncertainty as to how strictly they will be enforced, the rules in the European Union are tough and about to get much tougher. The General Data Protection Regulation (EU) 2016/679 (GDPR), slated to take effect in May 2018, will give consumers in the EU substantially more control over how their personal data is used. The increased control includes the right to:
- access any personal data that has been collected,
- obtain confirmation about whether an individual’s data is being processed, and
- require that the data be “erased” if the consumer withdraws consent.
On June 5, the Supreme Court agreed to review a case addressing an individual’s expectation of privacy in his or her historical cellphone location records. This case may well change the way we approach individual privacy in the digital age – not only with regard to cell phone records, but also information relating to email and internet activity, among other things. Continue Reading
On May 11, President Donald Trump issued his long-awaited Executive Order on cybersecurity, the ‘‘Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.’’ It had been in the works since early in the administration, and its release had been announced (and drafts leaked) several times, only to be pulled back and reworked further. The Executive Order calls for a government-wide review and analysis of federal information technology infrastructure, including known risks and vulnerabilities, as well as consideration of the U.S.’s cybersecurity capabilities in relation to the rest of the world. Continue Reading
This is not a drill.
Companies and law enforcement agencies around the world have been left scrambling after the world’s most prolific ransomware attack hit over 500,000 computers in 150 countries over a span of only 4 days. The ransomware – called WannaCry, WCry, WannaCrypt, or WannaDecryptor – infects vulnerable computers and encrypts all of the data. The owner or user of the computer is then faced with an ominous screen, displaying a countdown timer and demand that a ransom of $300 be paid in bitcoin before the owner can regain access to the encrypted data. The price demanded increases over time until the end of the countdown, when the files are permanently destroyed. To date, the total amount of ransom paid by companies is reported to be less than $60,000, indicating that companies are opting to let their files be destroyed and to rely instead on backups rather than pay the attackers. Nevertheless, the total disruption costs to businesses is expected to range from the hundreds of millions to the billions of dollars. Continue Reading
Enforcement of the Digital Advertising Alliance “Application of the Principles of Transparency and Control to Data Used Across Devices” (DAA Cross-Device Principles) officially began on February 1, just a week after the FTC issued a staff report discussing the application of the FTC Online Behavioral Advertising Principles in the context of “Cross Device Tracking” and suggesting that the DAA Cross-Device Principles, while commendable, could be stronger. Continue Reading
In late December, New York State’s Department of Financial Services (“DFS”) released its revised proposed cybersecurity regulation (the “DFS Rule”). While the revisions pare back some of the DFS Rule’s original requirements and add some much needed flexibility, the regulation will still impose many new obligations upon a wide array of financial institutions doing business in New York. The DFS Rule will become effective on March 1, 2017.
Much has been written about the challenges and issues that companies will face when implementing new policies and adjusting to the obligations of the new European General Data Protection Regulation, GDPR in short. The following paragraphs will give you the gist of the new Regulation and the essential elements that you must take into consideration in your endeavors to adjust to the GDPR, which will take effect across the EU as of May 25, 2018. There is enough time for your organization to adjust, but work must start now. Our key approach in implementing new obligations and making the necessary adjustments to this new European framework for personal data collection and processing is based on two simple rules: simplicity and efficiency.