Cyber Concerns Lead to EU Recall of a Connected Kids Devices

By Liisa Thomas, Jonathan E. Meyer and Elfin Noce on February 13, 2019 Posted in Children's Privacy, Consumer Privacy, EU Privacy, Internet of Things

Citing cybersecurity concerns with a children’s smartwatch, the European Commission recently issued a recall of the device. The Safe-KID-One is a smartwatch that gives parents the ability to track and communicate with their children. According to the European Commission, security issues with the device could allow a hacker to access a user’s data, including location history, phone numbers and serial number. Additionally, the hacker could use the watch to “call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.” This is one of the first recalls of an internet of things device by the European Commission and puts device makers on notice that they should take cybersecurity seriously when designing new devices. Continue Reading

Court Finds Cybersecurity-Related Claims Sufficient in Securities Class Action

By Jonathan E. Meyer and Elfin Noce on February 6, 2019 Posted in Consumer Privacy, Cybersecurity, Data Breach, Data Security, Privacy

In the aftermath of Equifax’s data breach, a federal court recently found that allegations of poor cybersecurity coupled with misleading statements supported a proper cause of action. In its decision, the U.S. District Court for the Northern District of Georgia allowed a securities fraud class action case to continue against Equifax. The lawsuit claims the company issued false or misleading statements regarding the strength and quality of its cybersecurity measures. In their amended complaint, the plaintiffs cite Equifax’s claims of “strong data security and confidentiality standards” and “a highly sophisticated data information network that includes advanced security, protections and redundancies,” when, according to the plaintiffs’ allegations, Equifax’s cybersecurity practices “were grossly deficient and outdated” and “failed to implement even the most basic security measures.” The court found that data security is a core aspect of Equifax’s business and that investors are likely to review representations on data security when making their investment decisions. Continue Reading

Massachusetts Changes Data Breach Notification Requirements

By Shanna Pearce on January 29, 2019 Posted in Data Breach

The Governor of Massachusetts has just signed into law amendments to the state’s data breach notification law. The amendments will go into effect April 11, 2019. Under the amended law, companies whose breaches involve Social Security numbers must provide free credit monitoring services to affected individuals. The services must last 18 months (42 months if the breached company is a credit reporting agency). Companies can’t require individuals to waive their rights to sue in order to get free credit monitoring and must certify to the state that the services provided comply with the law. Continue Reading

Year In Review: Eye on Privacy 2018

By Liisa Thomas, Craig Cardon, Brian Anderson, Jonathan E. Meyer, Townsend Bourne and Kari Rollins on January 28, 2019 Posted in Consumer Privacy, Data Breach, Data Security

As the first month of 2019 comes to a close, it is clear that this year will be another busy one in the world of privacy. To help get a handle on what to worry about this year, it is helpful to look back on the privacy developments from 2018 and consider what will be recurring or new themes in the year to come. To help on this front, we have put together our comprehensive “year in review” bulletin. In this document, we’ve included all of the developments we reported on in 2018, in one handy spot. You can view the summary here. There were many themes that emerged, from biometrics to targeting, breach laws to breach enforcement, 2018 was a busy year in privacy. We expect 2019 to be equally packed with privacy developments. Continue Reading

EU and Japan Finalize Data Transfer Deal

By Shanna Pearce on January 28, 2019 Posted in Cross-Border Data Transfers, EU Privacy

As we previously reported the EU and Japan reached a tentative deal last summer to ease data transfer restrictions between them. That deal has now been approved by both the European Commission and by Japan and is effective immediately. When the tentative deal was reached, Japan promised to add several new data protection safeguards. Those included new individual rights and limits on further transfers to third countries. Japan also agreed to limit government access to personal data, and to give Europeans a way to complain about government access. Japan has now implemented those safeguards. As a result, the European Commission has decided that Japan provides an adequate level of protection for personal data under the EU’s General Data Protection Regulation. This means that personal data can now be transferred freely between the EU and Japan. The decision will be jointly reviewed in two years, and then every four years thereafter. It is the first adequacy decision under GDPR. Continue Reading

Canada’s PIPEDA Consent Guidelines Now In Effect

By Liisa Thomas and Amber Thomson on January 24, 2019 Posted in Canadian Privacy, Consumer Privacy

Canada’s new guidelines for obtaining consent under PIPEDA are now in effect. Last year federal Office of the Privacy Commissioner and the Alberta and British Columbia Offices of the Information and Privacy Commissioner jointly issued the guidelines, which outline how to get “meaningful” consent. The OPC will now apply the guidelines when looking at how companies obtained consent, and it has been reported that the guides are viewed by the regulators to have the force of law. Continue Reading

NY AG Settles Over Mobile App Security Issues

By Liisa Thomas and Amber Thomson on January 23, 2019 Posted in Data Security

Five companies settled with the New York Attorney General over mobile app data security issues at the end of last year. The AG alleged that the companies, Western Union, Priceline, Equifax, Spark Networks, and Credit Sesame, had a well-known security vulnerability in their apps. This vulnerability resulted in insecure connections between the apps and the companies’ servers. As a result, a third party could easily have gained access to people’s sensitive information. Continue Reading

South Carolina’s Insurance Breach Notice Requirements Now In Effect

By Liisa Thomas and Shanna Pearce on January 22, 2019 Posted in Data Breach, Data Security

South Carolina now has specific breach and security requirements for insurance companies. The law applies to those licensed under the state’s insurance laws and went into effect January 1. Under the law, companies must tell the insurance regulator within 72 hours of determining that a breach occurred. Other breach requirements include conducting investigations and keeping records of incidents for at least five years. This new notice requirement does not exempt companies from South Carolina’s general breach notice law, which requires notice to impacted individuals. Continue Reading

No Federal Court Standing for BIPA Violation Without Injury

By Shanna Pearce on January 16, 2019 Posted in Biometrics, Employee Privacy

A lawsuit against US Cold Storage under the Biometric Information Privacy Act was recently dismissed because, the court held, the violations of the law were merely technical. As a result, the plaintiff did not have sufficient standing. This decision echoes the other cases we have reported on recently. Continue Reading

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree