The Eleventh Circuit recently issued a long awaited ruling in the LabMD case. In that case, the FTC had gone after a cancer detection facility that suffered a data breach. The agency criticized the company for lax data security and in July 2016 issued a broad order against the company requiring changes to the company’s systems. Unlike most other companies that find themselves in the FTC’s crosshairs, LabMD fought back. It objected to the FTC’s original administrative complaint on both substantive and procedural grounds and prevailed before an Administrative Law Judge, who was then overruled by the FTC. This led LabMD to appeal to the Eleventh Circuit, which punted on some key issues it could have addressed, including what type of injury is cognizable when it comes to data breaches, a question that is posing itself frequently in data privacy cases of all types, not just those relating to Section 5. It also did not discuss what type of notice the FTC must provide for companies to know what it considers “reasonable” security measures. Instead, it issued a relatively narrow ruling relating to the vagueness of the FTC’s order. Namely, that requiring LabMD to cease and desist its prior practices and revise and replace its data security program was not specific enough. Because of this ruling, we expect to see more specific orders from the FTC, along the lines of the BLU settlement we reported on recently. Continue Reading
Vermont recently enacted a data broker security law, one of the first of its kind. The law, which went into in May, requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about consumers with whom the business does not have a direct relationship. Continue Reading
The Federal Trade Commission recently posted a blog entry reminding companies about the deletion requirements under the Children’s Online Privacy Protection Act. Namely, that companies under the Act must give parents the right to review and delete their children’s information. In addition COPPA also requires companies to delete children’s personal information when the information is no longer necessary to fulfill the purpose for which it was originally requested. An example given is when a parent decides not to renew a subscription on behalf of their child. In that case, the company must delete the information even if the parent has not specifically requested deletion. The FTC recommends that companies make sure that their document retention policies take into account the stated purposes for which children’s personal information is collected, and under what circumstances the information will no longer be needed for those purposes. The FTC also recommends that companies ensure that they have secure deletion practices in place. Continue Reading
A Texas hospital was recently ordered by an administrative law judge to pay a $4,300,000 penalty for three data breaches over the course of 2012 and 2013 that exposed the personal health information – including social security numbers, patient names and treatment records – of more than 33,000 individuals in violation of HIPAA. The specific incidents related to the theft of an unencrypted laptop and the loss of unencrypted USB flash drives, both of which contained electronic personal health information. Continue Reading
Just as companies may be catching their breath after sprinting to get ready for GDPR in time for its recent implementation date, the FTC has now entered the enforcement fray. It has stated that, where companies are choosing to apply GDPR protections to American consumers, the FTC may enforce any failures to abide by those commitments. What does this mean for US companies? As many implemented compliance with GDPR, a number of companies stated publicly that they would be providing some -or all- of the same protections to their other customers. It made sense for the companies – once they were reconfiguring their policies and systems to meet the GDPR requirements for European customers, why not offer the same protections to individuals outside the EU? It was comparatively easy to do and it was good consumer PR. But now the FTC plans to hold them to it. Continue Reading
As we wrote when the law passed, South Dakota now has a data breach notification law, making it the last state to have a data breach notification statute on the books. (The breach notification law of the other hold-out state, Alabama, went into effect on June 1.) The law is now in effect, and as we reported, mirrors many facets of other states’ breach laws. Notification is required when there is an unauthorized acquisition of unencrypted computerized data (or encrypted data where the key is compromised). Encryption is defined in South Dakota (unlike many other states), and notification must occur within 60 days. If notification to more than 250 South Dakota residents is required a company must notify state authorities as well. Continue Reading
Colorado’s governor recently signed into law an update to the state’s breach notice law. As we reported yesterday the new law takes effect on September 1, 2018. As amended, the definition of “personal information” now also includes student, military or passport identification numbers, medical information, health insurance identification numbers, biometric data, and a resident’s username or email address (in combination with passwords or security questions). The law now calls for companies to conduct investigations when they become aware that a breach may have occurred (rather than when they become aware of a breach). Also modified is the window that companies have to provide notice, joining Florida in requiring notice within 30 days (as compared to the current “without unreasonable delay”).
Colorado’s recently passed breach notice law, which goes into effect on September 1, includes a data security requirement. This mirrors the change to the Louisiana breach notice law we reported about yesterday. Under the law, companies will need to have “reasonable” security practices and procedures that protect personal information. Personal information is defined as social security numbers, personal identification number, a password or pass code, state ID numbers, and biometric data. The law also will require companies to ensure that third parties with whom they share personal information have reasonable security protections.
Louisiana has joined the growing list of states updating their data breach notification law in 2018. Others include, as we have reported, Arizona and Oregon. The law has now been amended to include biometric information, state ID number, and passport number in the definition of personal information. It also adds a 60-day notice timeline from “the discovery of the breach.” If the 60-day timeline is not met because of a law enforcement request or because it takes longer to find out the scope of the breach and restore company’s systems, the law requires that the company explain the delay to the state Attorney General. The law now also permits companies not to notify if, after a reasonable investigation, they determine that “there is no likelihood of harm to the residents of this state.” Companies must keep a written record – for five years – of breaches it did not report. This record must be given to the AG, if requested, within 60 days. The amendments to the Louisiana law go into effect on August 1st, 2018.
Louisiana’s breach notice law has been amended to require companies to protect personal information. The definition of personal information matches that which -if breached- would give rise to a duty to notify. This includes name combined with social security numbers, drivers’ license (and state ID/passport numbers) or financial account numbers. The law applies to companies that “maintain computerized information” and require that entities (1) have reasonable security procedures and practices “appropriate to the nature of the information” that protects against unauthorized access, destruction, use, modification and disclosure and (2) destroy personal information or make it unreadable when it is no longer needed by “shredding, erasing” or making the information otherwise unreadable. Louisiana joins a growing list of states that have such data protection requirements, including California, Connecticut, Delaware, Florida, Massachusetts, Nevada, and New Jersey to name but a few. The requirement goes into effect August 1, 2018.