FTC Seeks Comment on Fundamental Privacy Enforcement Issues

On August 6, the FTC announced that it is seeking comment on a number of topics that are fundamental to its work, including on privacy. These topics will form the basis of its hearings on “Competition and Consumer Protection in the 21st Century”, which it will hold from September through January 2019, as we recently mentioned on this blog. The hearings will cover a variety of topics critical to the FTC, a few of which relate directly to privacy issues. These include:

• The intersection of privacy, big data, and competition, including the benefits and costs of privacy laws, and the benefits, costs and conflicts of such laws existing at different levels of government (federal, state, local, etc.);
• The Commission’s remedial authority to deter unfair and deceptive conduct. This is probably the most significant topic, because it touches on the expansiveness of the Commission’s authority to regulate privacy issues. It follows on Commission Chairman Simons’s recent testimony in the House of Representatives that the Commission may need more and better authority in the privacy realm than its current reliance on Section 5 of the Federal Trade Commission Act’s focus on unfair and deceptive practices;
• The welfare effects and privacy implications of using algorithmic decision tools and predictive analytics; and
• The efficacy of the FTC’s current investigation and remedial processes. Continue Reading

EU and Japan Strike Tentative Data Transfer Deal

The EU and Japan have reached a “reciprocal adequacy” agreement to allow data to flow more easily between them. As part of a larger bilateral trade deal which included commitments by both parties to reduce tariffs, Japan also agreed to enact additional safeguards to comply with new EU data protection standards. Those additional safeguards include increased data subject rights to access and correction, restrictions upon transfers of EU data from Japan to third countries, and limits on the use of sensitive data. Japan’s independent data protection authority would have enforcement authority over the new rules, and would investigate and resolve complaints from European data subjects. If it is approved by internal committees and regulators in both the EU and Japan, the deal will come into effect this Fall. This agreement comes after pressure this summer from the EU Parliament to suspend the US-EU agreement currently in place (the “Privacy Shield” program). Continue Reading

DOJ Report Suggests Direction For Addressing Cyber Threats

As many of you have no doubt seen, the Justice Department recently released the report of the Attorney General’s Cyber Digital Task Force, a body the Attorney General had created in February. In the report, the Task Force, chaired by Deputy Attorney General Rod Rosenstein, seeks to answer the question: “How is the Department responding to cyber threats?” On the off chance that you’re not dying to read all 144 pages, we have provided a short summary and a couple of takeaways below. Continue Reading

Louisiana’s Breach Notification Law Update Now In Effect

As we wrote when the law passed, Louisiana updated its data breach notification statute earlier this year. The new law becomes effective today (August 1), and comes close on the heels of the July 20th effective date of Arizona’s update to its breach law. As modified, the Louisiana law adds biometric information as well as state ID and passport numbers to the definition of personal information. It also joins a trend that imposes a specific notification timeline by requiring that notice be made (namely within 60 days of the discovery of the breach). The law also requires that companies keep written records of unreported breaches for five years. Companies must provide that record to the state Attorney General if requested.  Continue Reading

The California Privacy Law Is Coming: What Should Your Company Do Now?

As has been widely reported, California’s new privacy regime is set to come into effect on January 1, 2020. The law constitutes an expansion beyond California’s existing privacy laws, in particular California’s existing Shine the Light Law and the California Online Privacy Protection Act. Various provisions of the new law will apply to businesses with annual total revenue greater than $25 million (not just in California), that obtain or share for commercial purposes the personal information of 50,000 or more, or that get 50% or more of their revenue from selling or sharing PII. The law was passed quickly to avoid a similar voter-initiative ballot measure, and as a result has several ambiguities and apparent inconsistencies. It is therefore very likely that the law will be changed by amendment, and clarified through rules and regulations, before it comes into effect in 2020.  Continue Reading

Arizona’s Notice Law Now In Effect

As we wrote when the law passed, Arizona has expanded its data breach notification law. The law’s effective date was July 20, and now includes several new elements. Included is a requirement to notify the state attorney general if more than 1,000 individuals have been impacted, and gives an expanded ability to notify by email. Timing of notification has changed from “most expedient” to within 45 days. The Arizona law also now has content requirements for notifications, and do not need to notify if an independent forensic firm or law enforcement determine that there has been no risk of “substantial economic loss.”

Putting it Into Practice: Companies should keep in mind these new elements of Arizona’s law for their nationwide breach notice plans.

 

FTC Pursuing, and Getting More Specific, About Privacy Post-LabMD Finding

The Eleventh Circuit recently issued a long awaited ruling in the LabMD case. In that case, the FTC had gone after a cancer detection facility that suffered a data breach.  The agency criticized the company for lax data security and in July 2016 issued a broad order against the company requiring changes to the company’s systems.  Unlike most other companies that find themselves in the FTC’s crosshairs, LabMD fought back.  It objected to the FTC’s original administrative complaint on both substantive and procedural grounds and prevailed before an Administrative Law Judge, who was then overruled by the FTC.  This led LabMD to appeal to the Eleventh Circuit, which punted on some key issues it could have addressed, including what type of injury is cognizable when it comes to data breaches, a question that is posing itself frequently in data privacy cases of all types, not just those relating to Section 5. It also did not discuss what type of notice the FTC must provide for companies to know what it considers “reasonable” security measures.  Instead, it issued a relatively narrow ruling relating to the vagueness of the FTC’s order. Namely, that requiring LabMD to cease and desist its prior practices and revise and replace its data security program was not specific enough.  Because of this ruling, we expect to see more specific orders from the FTC, along the lines of the BLU settlement we reported on recently. Continue Reading

Vermont Is First Mover Regulating Data Brokers

Vermont recently enacted a data broker security law, one of the first of its kind. The law, which went into in May, requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about consumers with whom the business does not have a direct relationship. Continue Reading

FTC Provides Insight into COPPA Deletion Requirements

The Federal Trade Commission recently posted a blog entry reminding companies about the deletion requirements under the Children’s Online Privacy Protection Act. Namely, that companies under the Act must give parents the right to review and delete their children’s information. In addition COPPA also requires companies to delete children’s personal information when the information is no longer necessary to fulfill the purpose for which it was originally requested. An example given is when a parent decides not to renew a subscription on behalf of their child. In that case, the company must delete the information even if the parent has not specifically requested deletion. The FTC recommends that companies make sure that their document retention policies take into account the stated purposes for which children’s personal information is collected, and under what circumstances the information will no longer be needed for those purposes. The FTC also recommends that companies ensure that they have secure deletion practices in place. Continue Reading

Texas Hospital Order to Pay $4.3M for Failure to Implement its HIPAA Security Policies

A Texas hospital was recently ordered by an administrative law judge to pay a $4,300,000 penalty for three data breaches over the course of 2012 and 2013 that exposed the personal health information – including social security numbers, patient names and treatment records – of more than 33,000 individuals in violation of HIPAA. The specific incidents related to the theft of an unencrypted laptop and the loss of unencrypted USB flash drives, both of which contained electronic personal health information. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree