EU-US Privacy Shield: Still Awaiting Certainty

The European Perspective

Privacy activists across Europe raised their data protection banner following the announcement by EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová on Tuesday 2 February 2016 that a political agreement had been reached between the EU and the US on a new framework for handling transatlantic data flows. This does not bode well, especially because the exact content of the new agreement which will replace the “Safe Harbour” mechanism is still unknown. We will expand on the indications provided by the Commissioner on some of the negotiated protection mechanisms. More importantly, we will highlight the risks that over 4.000 companies, mainly US tech companies, still face and the measures they should put in place to ensure compliance with EU data protection rules. Continue Reading

Tag, You’re It: Biometric Information Privacy Act Class Action Against Shutterfly Moves Past 12(b)(6)

Over the last six months, at least four putative class actions have been filed under the Biometric Information Privacy Act (“BIPA”)—an obscure Illinois statute passed about seven years ago to regulate the collection and use of consumers’ biometric information.  In relevant part, the BIPA requires entities in possession of biometric information (i.e., retina scans, fingerprints, voiceprints, etc.) to retain a specific written policy governing data retention and to collect written consent from consumers before collecting biometric information. Continue Reading

Not Taking “Yes” For An Answer: U.S. Supreme Court Rules That Unaccepted Offer Of Complete Individual Relief Does Not Moot Plaintiff’s Individual Or Class Action Claim

On January 20, 2016, in a highly anticipated decision (see October 27, 2015 blog) that will have implications for class action practice nationwide, the U.S. Supreme Court ruled that an unaccepted offer of judgment sufficient to completely satisfy an individual claim does not moot that claim or any class claim. The Supreme Court’s decision partially resolves a vigorously contested question of constitutional law that has been the subject of great dispute among federal Courts of Appeals for the last decade—whether a Rule 68 offer of judgment for complete relief deprives a court of Article III jurisdiction to hear only a “case or controversy.”  In a 6-3 decision, the Supreme Court held that a live case and controversy still exists when a plaintiff refuses to accept an offer of judgment.  In so holding, however, the Supreme Court suggested that it might reach a different decision if a defendant deposits funds sufficient to satisfy the plaintiff’s individual claims, and then obtains a judgment from the trial court in this amount.        Continue Reading

Government Forces Awaken: The Rise of Cyber Regulators in 2016

As the sun sets on 2015, but before it rises again in the New Year, we predict that, in the realm of cyber and data security, 2016 will become known as the “Rise of the Regulators.” Regulators across numerous industries and virtually all levels of government will be brandishing their cyber enforcement and regulatory badges and announcing: “We’re from the Government and we’re here to help.” Continue Reading

Are You Overcomplicating Your Cybersecurity Processes?

Yes. I just asked that.  For many, the response is likely “Yes!  Of course we are!  It’s *&^%$% cybersecurity – it’s complicated!”  To which I would respond “Touché.  It is…but it needn’t be overly complicated.”  So, of course, I set out to find a complicated way to simplify it.  And, in the spirit of National Cyber Security Awareness Month, I thought I would share two complicated ways to simplify your cybersecurity processes. Continue Reading

Do as You Say (and as You Should Do): How the Hospitality Industry Can Brace for Data Privacy Actions

On October 2, 2015, Trump International Hotels became the latest in a growing line of data breach class action victims. Driscoll v. Trump International Hotels Management LLC, No. 15-cv-1089 (S.D. Ill.).  Indeed, the hospitality industry as a whole is seeing increased scrutiny from both plaintiffs’ attorneys and federal regulators.  Less than two months ago, the Third Circuit Court of Appeals affirmed the Federal Trade Commission’s broad authority to clamp down on the allegedly lax cybersecurity measures implemented by Wyndham Worldwide. F.T.C. v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015) Continue Reading

US Safe Harbor Regime Invalidated by Europe’s Highest Court

The Court of Justice of the European Union ruled this morning that the Safe Harbor regime, which enables transatlantic data transfers from the European Union to the United States, is invalid, thereby giving each national supervisory authority the chance to revisit the question of whether the U. S. provides an adequate level of protection for EU citizens’ data.  A copy of the decision be found here. Continue Reading

FTC v. Wyndham: The Third Circuit Recognizes FTC Authority to Regulate Commercial Cyber Security Practices

In 2014, the United States Court of Appeals for the Third Circuit ruling in FTC v. Wyndham Worldwide Corporation agreed to hear an immediate appeal on two issues: “whether the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a); and, if so, whether Wyndham had fair notice its specific cybersecurity practices could fall short of that provision.” On August 24, 2015 the Third Circuit affirmed the decision of the District Court and denied Wyndham’s motion to dismiss the complaint. Continue Reading

Barbarians at the Gate: Seventh Circuit Finds Article III Standing for Data Breach Class Actions

As a result of the Supreme Court’s decision in Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013), data breach class actions were largely considered dead in the water.  The overwhelming majority of courts, relying heavily on Clapper, dismiss data breach actions for the simple reason that until a consumer suffers actual identity theft, she lacks Article III standing to sue.  In other words, without actual identity theft, the risk of future harm—as well as any money spent attempting to protect against potential identity theft—is purely speculative and does not suffice to constitute a legally cognizable injury. Continue Reading

The Baby and the Bathwater: The Department of Commerce’s Bureau of Industry and Security (BIS) Intrusion and Surveillance Software Export Licensing Proposal

If you are not aware, please take note that the July 20, 2015 deadline is fast approaching for comments to the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) proposed rule on the export control of certain intrusion and surveillance related software.  The proposed rule, which addresses changes to the U.S. Export Administration Regulations (EAR), is designed to align with agreements made in the December 2013 Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, a multilateral export control regime with 41 participating states committed to promoting transparency and responsibility in cross-border transfers of arms and dual-use goods and technologies.  The wide-reaching rule proposes adding new controls in Category 4 of the EAR’s Commerce Control List (CCL) intended to address “intrusion software” used by hackers and other cybercriminals.  The difficulty is that, in the way the proposed rule is worded (and explained), it also subjects network penetration testing products, the type that use “intrusion software” to identify cyber-vulnerabilities, to the same export licensing requirements.  That is to say, the manner in which the controlled intrusion software would be defined includes the good as well as the bad, and – could have a chilling effect on beneficial research and development of defensive software. Continue Reading

LexBlog