2018: The Year of the FTC and Informational Injuries?

What constitutes actionable consumer injuries post-breach or data misuse is a hotly contested topic. As we reported in our Advertising blog late last year the FTC hosted a workshop on December 12th to look at the issue. A large focus during the workshop was what constitutes harm to consumers. While there is a school of thought that consumers should have standing to bring action only if there is actual harm to consumers, panelists attending the workshop argued that potential future harm should be actionable as well. We anticipate hearing more from the FTC as a result of this workshop during 2018. Continue Reading

The Encryption Battle Will Continue in 2018

While they may disagree in other areas, one thing that former FBI Director James Comey, current Deputy Attorney General Rod Rosenstein, and current FBI Director Christopher Wray all have in common is their distaste for strong encryption that prevents the government from accessing information. In 2016, Comey and the Justice Department went to court to try to force Apple to help the government decrypt messages sent by the San Bernardino terrorist attackers. A few months ago, Rosenstein picked up that torch, discussing the need for government access to encrypted information in two separate speeches in October, then repeating his views in the wake of November’s mass shooting at a church in Texas. On January 10, Wray raised the subject in a speech, referring to it as “an urgent public safety issue.” At the same time, as tech companies are quick to point out, the rising tide of information snooping by foreign governments and private actors makes the need for strong encryption greater than ever. The Trump Administration’s strong law-and-order stance, and relative lack of sympathy for tech companies and civil libertarians, mean that 2018 could lead to new developments in this area. Continue Reading

As GDPR Looms, Australia to Participate in APEC’s CBPR Program

Late last year, Australia’s Attorney General confirmed that Australia planned to participate in APEC’s Cross Border Privacy Rules (CBPR) system. The CBPR system was intended to help companies that want to transfer personal data across the borders of participating countries. Currently there are five participating countries: Canada, Japan, South Korea, Mexico, and the US. This scheme has been viewed by some as a hopeful complement to the Binding Corporate Rules concept under the EU Data Privacy Directive. In recognition of the overlap between the two, the Article 29 Working Party and the APEC Electronic Steering Group put together a checklist of the commonalities between Binding Corporate Rules and CBPR certification. Continue Reading

2018 Likely a Year of Rising Government Standards for Securing Information

For companies that do business with the government, 2017 was a year of transition, as many began to follow the NIST Cybersecurity Framework, worked to accomplish Federal Risk and Authorization Management Program (FedRAMP) certification, or rushed to rid their systems of products from Kaspersky Lab. Perhaps most significant was the rush of Pentagon contractors to come into compliance by year’s end with NIST Special Publication (SP) 800-171, as mandated by a new provision of the Defense Federal Acquisition Regulation Supplement (DFARS). This provision requires contractors to comply with NIST’s standards on protecting Controlled Unclassified Information (CUI). Continue Reading

ESPN Knocks VPPA Suit Out Of The Park

The Ninth Circuit recently joined the Third Circuit in defining PII under the VPPA as “information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” In the case, Eichenberger v. ESPN, Inc., the court found that because an ordinary person could not have identified the plaintiff from the information ESPN divulged to a third party (the plaintiff’s Roku serial device number and video history), the plaintiff failed to state a claim. For that reason the Ninth Circuit affirmed dismissal of the VPPA claim. Continue Reading

2017 Saw Ransomware on the Rise – 2018 Will See Even More

It’s fair to say that ransomware exploded in 2017. After inflicting an estimated $350 million in damage in 2015 and $850 million in 2016, at least one source estimates that it hit $5 billion last year. Most prominent among these were WannaCry, which shut down computers in 80 organizations affiliated with Britain’s National Health Service among many other infections, and Not Petya, which attacked many international companies’ computer systems. Continue Reading

How Will Breach Laws Develop in 2018?

You hopefully already know that Maryland’s amendment to its data breach notification law went into effect this week (on January 1, 2018). We anticipate that other states may follow one of Maryland’s modifications, namely its expansion of the definition of personal information. Under the amended law “personal information” now includes an expanded definition of biometric information. Biometric information is defined as any automatically generated biologic measurements, rather than just specifically listed items like fingerprints (the definition prior to the amendment). A handful of states have laws —like Maryland— that include biometric information in the definition of personal information. Those include Illinois, Nebraska, Nevada, North Carolina, Wisconsin, and Wyoming. We expect other states may join these. We also expect that states may otherwise continue to expand the definition of personal information in their breach notice laws. Continue Reading

Cybersecurity in the First Year of the Trump Administration

As might be expected, the first year of the Trump Administration saw a lot of activity on the cybersecurity front. In May, the Administration issued its “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” As we discussed in an analysis we issued shortly thereafter, the Order brought more accountability to agencies for monitoring their own cybersecurity, and required them all to implement the NIST Cybersecurity Framework. In September, the Department of Homeland Security banned the use of products, solutions or services offered by Kaspersky Labs. And of course, cybersecurity continues to play an important role in ongoing investigations and political activities relating to the hacking of the Democratic National Committee. Continue Reading

France Joins Others, Enforces Against Connected Toys

France’s data protection commissioner joins others in taking action against toymaker Genesis Toys related to its popular internet-connected toys My Friend Cayla and i-Que Robot. Last December, a number of consumer groups filed complaints with regulators in the U.S. and Europe raising privacy and security concerns about the toys. The groups asserted that the toys fail to meet U.S. and E.U. privacy and data protection standards because the toys record and collect the conversations of children without parental consent and without limitations on the collection, use, or disclosure of the information, and because the toys can be easily hacked by third parties. Continue Reading

LexBlog