A Texas court recently affirmed the vitality of potential nationwide class actions brought under the federal Driver’s Privacy Protection Act (“DPPA”), in a case brought by an individual whose personal information had allegedly been obtained illegally from the Texas DMV database. The case was filed by a local individual, Arthur Lopez, who complained of getting direct mail from Don Herring Ltd., a local Texas car dealer. Lopez claims that Herring’s personalized advertisement violated the DPPA. Here, the advertisement contained Lopez’s full name, address and the make model of his car. Lopez, however, alleged he had never heard of Herring and had no idea how Herring obtained his personal information without his consent.
The Better Business Bureau’s Online Interest Based Advertising Accountability Program announced that that it will require interest-based video ads to provide notice and choice to viewers as of April 1, 2018, as we reported in our Advertising blog, in compliance with the Digital Advertising Alliance’s self-regulatory principles for interest-based advertising. As providers of interest-based video ad networks and services gear up for the deadline, there are three core areas to think about. First, the basics, are you engaging in interest-based advertising in the serving of your video ads? Now is the time, in advance of the April 1 date, to have these conversations with your business teams. Second, if the answer is yes, how are users being provided with notice? Is the notice compliant with the DAA Principles? For example, is it up-front? Does it direct users to a location where they can get more detailed information about your activities? Third, how are users being provided with choice? For those who engage in other types of interest based advertising, these steps will sound familiar. But expanding the conversation with marketing to video advertising may be new. Continue Reading
At the end of last year the Department of Health and Human Services – Office for Civil Rights announced its resolution agreement and settlement with 21st Century Oncology for $2.3 million. The company, which billed itself as the largest operator of cancer treatment centers in the world, filed for bankruptcy in May of 2017. OCR’s press release of the breach settlement stated that 21st Century Oncology was twice notified by the FBI in 2015 that patient information had been illegally obtained and was being sold. Following notice, the company determined through an internal investigation that the attacker may have accessed its network SQL database through the remote desktop protocol in early October of 2015 and that 2,213,597 individuals were potentially impacted. Information accessed included names, dates of birth, social security numbers, physicians’ names, diagnoses, treatments, and insurance information.
What constitutes actionable consumer injuries post-breach or data misuse is a hotly contested topic. As we reported in our Advertising blog late last year the FTC hosted a workshop on December 12th to look at the issue. A large focus during the workshop was what constitutes harm to consumers. While there is a school of thought that consumers should have standing to bring action only if there is actual harm to consumers, panelists attending the workshop argued that potential future harm should be actionable as well. We anticipate hearing more from the FTC as a result of this workshop during 2018. Continue Reading
While they may disagree in other areas, one thing that former FBI Director James Comey, current Deputy Attorney General Rod Rosenstein, and current FBI Director Christopher Wray all have in common is their distaste for strong encryption that prevents the government from accessing information. In 2016, Comey and the Justice Department went to court to try to force Apple to help the government decrypt messages sent by the San Bernardino terrorist attackers. A few months ago, Rosenstein picked up that torch, discussing the need for government access to encrypted information in two separate speeches in October, then repeating his views in the wake of November’s mass shooting at a church in Texas. On January 10, Wray raised the subject in a speech, referring to it as “an urgent public safety issue.” At the same time, as tech companies are quick to point out, the rising tide of information snooping by foreign governments and private actors makes the need for strong encryption greater than ever. The Trump Administration’s strong law-and-order stance, and relative lack of sympathy for tech companies and civil libertarians, mean that 2018 could lead to new developments in this area. Continue Reading
Late last year, Australia’s Attorney General confirmed that Australia planned to participate in APEC’s Cross Border Privacy Rules (CBPR) system. The CBPR system was intended to help companies that want to transfer personal data across the borders of participating countries. Currently there are five participating countries: Canada, Japan, South Korea, Mexico, and the US. This scheme has been viewed by some as a hopeful complement to the Binding Corporate Rules concept under the EU Data Privacy Directive. In recognition of the overlap between the two, the Article 29 Working Party and the APEC Electronic Steering Group put together a checklist of the commonalities between Binding Corporate Rules and CBPR certification. Continue Reading
For companies that do business with the government, 2017 was a year of transition, as many began to follow the NIST Cybersecurity Framework, worked to accomplish Federal Risk and Authorization Management Program (FedRAMP) certification, or rushed to rid their systems of products from Kaspersky Lab. Perhaps most significant was the rush of Pentagon contractors to come into compliance by year’s end with NIST Special Publication (SP) 800-171, as mandated by a new provision of the Defense Federal Acquisition Regulation Supplement (DFARS). This provision requires contractors to comply with NIST’s standards on protecting Controlled Unclassified Information (CUI). Continue Reading
The Ninth Circuit recently joined the Third Circuit in defining PII under the VPPA as “information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” In the case, Eichenberger v. ESPN, Inc., the court found that because an ordinary person could not have identified the plaintiff from the information ESPN divulged to a third party (the plaintiff’s Roku serial device number and video history), the plaintiff failed to state a claim. For that reason the Ninth Circuit affirmed dismissal of the VPPA claim. Continue Reading
It’s fair to say that ransomware exploded in 2017. After inflicting an estimated $350 million in damage in 2015 and $850 million in 2016, at least one source estimates that it hit $5 billion last year. Most prominent among these were WannaCry, which shut down computers in 80 organizations affiliated with Britain’s National Health Service among many other infections, and Not Petya, which attacked many international companies’ computer systems. Continue Reading
2018 should prove to be a particularly interesting year on the subject of government access to private electronic records, as 2017 has served as an interesting prelude to what’s ahead: Continue Reading