Maine Passes Broadband Privacy Bill

By Elfin Noce on June 12, 2019 Posted in Data Security, Telecommunications Privacy

Maine entered the privacy fray last week when Governor Janet T. Mills signed legislation targeting internet service providers by prohibiting the sale of information about customers’ internet use. The new restriction covers, in part, customer web browsing history, application usage history, and geolocation information. An internet service provider may only use, disclose, sell or permit access to such information with either the customer’s consent or by complying with one of the few outlined exceptions in the statute. Continue Reading

SEC Issues Alert On Outsourcing and Data Security

By Liisa Thomas, Sarah Aberg, Kari Rollins and Katherine Boy Skipsey* on June 11, 2019 Posted in Data Security, SEC

The SEC recently issued a risk alert warning about using vendors and cloud-based platforms. Many broker dealers and investment advisors are turning to these third parties to store customer data. In its alert, the SEC’s Office of Compliance Inspections and Examinations warns firms that relying on those third parties’ security tools is not, in and of itself, sufficient for the companies to demonstrate compliance with Regulations S-P and S-ID. These regulations require broker-dealers and investment advisers to protect customer records and detect and prevent identity theft. Continue Reading

Washington Enacts Restrictions on Applicant Wage and Salary Questions

By Elfin Noce and Shawn D. Fabian on June 10, 2019 Posted in Employee Privacy

Washington State will have new restrictions on what employers can ask applicants regarding their wage and salary history starting July 28, 2019. The new legislation will prohibit employers from seeking wage or salary history from job applicants in the state. Additionally, employers will not be able to require that an applicant’s prior salary history meet certain criteria. There are some limited exceptions to this general rule. First, employer can confirm an applicant’s wage or salary if the applicant has voluntarily disclosed that history. Second, the employer can confirm the information after having negotiated and made an employment offer. Continue Reading

Interest-Based Advertising Enforcer Hits 100

By Liisa Thomas on June 3, 2019 Posted in Advertising, Behavioral Advertising

The Online Interest Based-Advertising Accountability Program, which enforces privacy principles for digital advertising, recently announced its 100^th action. In announcing this landmark, the Accountability Program looked back at the nature of the cases it has brought, noting that it has covered both desktop and mobile issues, and its focus has fallen into a few key categories. These include providing consumers with “enhanced notice” of behavioral advertising activities and ensuring that opt-out tools exist (and that they work!). The Accountability Program also took the opportunity to remind online advertisers about its OBA Self-Regulatory Principles, and the guidance for applying the principles in a mobile environment. Continue Reading

Like a Butterfly, Will the CCPA Continue to Evolve?

By Rebecca Mackin, Craig Cardon, Rachel Tarko Hudson, Liisa Thomas and Brian Anderson on May 28, 2019 Posted in California, CCPA, Consumer Privacy, US Privacy

California legislators have passed many bills to amend the California Consumer Protection Act since the law was passed. Last week there was significant developments in the status of those bills, as we reported. In addition to dropping the concept of a private right of action for non-breach matters, there are other key things to keep in mind. Some are good news for corporations, but some pending bills that would have helped clarify the law are not moving forward. On the pro-business side, employers and businesses that focus on handling employee data will be happy to learn of the revised definition to consumers. On the pro-consumer side, however, a bill was withdrawn that would have allowed the sharing of unique consumer identifiers for marketing purposes without being considered a “sale,” drawing a chorus of “shucks” from businesses alike. Keep reading for the details. Continue Reading

Feds Want New IoT Guidance to Address Security Vulnerabilities

By Townsend Bourne and Elfin Noce on May 22, 2019 Posted in Cybersecurity, Data Security, Government Privacy, Internet of Things

“Internet of Things” devices are listening. And now the federal government is taking notice. As we reported in our Government Contracts and Investigations blog, to date, federal cybersecurity regulations for government contractors focus on implementing safeguards to protect sensitive government data. A gap has emerged where the federal government purchases IoT devices. Those devices collect and send data online, and are thus are susceptible to hacking and listening in. Proposed legislation recently introduced in both the Senate (S.734) and the House (H.R. 1668) calls for new information security standards to manage these cybersecurity risks. This legislation would affect a wide range of IoT devices. I.e., a device connect to the internet that is not a “general purpose computing device.” Continue Reading

Ding Dong the CCPA Private Right of Action is (Mostly) Dead!

By Rachel Tarko Hudson, Craig Cardon, Snehal Desai and Liisa Thomas on May 17, 2019 Posted in CCPA

Whether your favorite movie is The Wizard of Oz or The Princess Bride, we can all agree there is some good news about the California Consumer Privacy Act (CCPA) this Friday afternoon! SB 561 appears to have (mostly) died in the Senate Appropriations Committee during a hearing held yesterday. While the act as originally drafted only provided for Attorney General enforcement (except for one section addressing data security breaches), SB 561 added a private right of action as well as statutory damages for any violation of the act. This amendment clearly would have significantly increased the risks of any failure to comply with CCPA, no matter how small. But remember the words of Miracle Max – “There’s a big difference between mostly dead and all dead. Mostly dead is slightly alive.” So while it is possible that another amendment could be introduced at a later date, for now at least, the act will likely remain as drafted with enforcement coming only from the AG’s office, except in data breaches. Continue Reading

New Jersey Breach Notice Law Expands To Cover Online Account Breaches

By Elfin Noce, Liisa Thomas and Kari Rollins on May 16, 2019 Posted in Data Breach, Data Security

New Jersey joins a growing list of states that include user name, email address or any other identifier in combination with any password or security question and answer would permit access to an online account as personal information that, if breached, would give rise to a duty to notify. Other states that include these identifiers as “triggering” of their states’ breach notice statutes include Alabama, Arizona, California, Colorado, Delaware, Florida, Nebraska, Nevada, Puerto Rico, South Dakota and Wyoming. This legislation was recently signed by Governor Phil Murphy and will be effective September 1, 2019. Continue Reading

HHS Reduces Penalties for HIPAA Violations; Distinguishes Based on Culpability

By Susan Ingargiola and Matthew Shatzkes on May 15, 2019 Posted in Healthcare Privacy

The U.S. Department of Health and Human Services recently published a Notice of Enforcement Discretion that markedly reduced HIPAA-related penalties. According to the Notice, effective immediately, HHS will change how it applies regulations concerning the assessment of Civil Money Penalties under HIPAA. Prior to issuance of the Notice, HHS regulations applied the same $1.5 million cumulative annual CMP limit across all categories of violations (which are based on the level of culpability of the violator). In other words, if a company found itself in violation of HIPAA, the penalties for which it would be responsible could be no more than $1.5 million per year regardless of the category of violation and regardless of the number of violations the company had committed. Continue Reading

Utah Requires Law Enforcement Search Warrants

By Elfin Noce on May 14, 2019 Posted in Consumer Privacy, Data Security

Effective this week, law enforcement in Utah will need a search warrant to obtain for certain electronic records. The new state legislation looks to expand privacy protections for content that consumers store online. Generally, the third-party doctrine limits the protection this type of information receives under Fourth Amendment protections against unreasonable searches and seizures. The rationale being that individuals have already voluntarily disclosed this information to the service provider and, thus, have no reasonable expectation of privacy in that information. This new law seeks to chip away at the third-party doctrine, as consumers are putting more and more of their personal information online in the hands of service providers with the expectation that the information to stay private. What this means in practice is that state and local law enforcement in Utah will need to meet a greater burden of proof to access this content. Continue Reading

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree