DoC Comments on Privacy Shield In Advance of GDPR

The Department of Commerce issued an update to explain how it has supported the E.U.-U.S. and Swiss-U.S. Privacy Shield frameworks. As we have written previously, the Shield gives E.U. companies a basis under which it can send personal data to entities in the U.S. The comments from Commerce come after the Europeans raised concerns about the sufficiency of the program, which gets re-evaluated annually. Continue Reading

DHS Releases New Cybersecurity Strategy

On May 15, the Department of Homeland Security released its long-awaited Cybersecurity Strategy.

The Strategy aims to reduce cybersecurity risk through “an innovative approach that fully leverages our collective capabilities across the Department and the entire cybersecurity community.” It sets a course of cybersecurity policy for the Department for the next five years and signals a more assertive approach to cyber vis a vis other agencies by setting forth clearer consequence for agencies that don’t adopt best practices. It also fleshes out an initiative for DHS to engage the private sector more actively and share cybersecurity tools directly with industry, especially critical infrastructure sectors such as hospitals, information technology, health care, transportation systems and chemical plants. Continue Reading

FTC Expresses Concerns Over Mobile Security Updates

In its recent report (Mobile Security Updates: Understanding the Issues), the FTC expressed concerns with the process for keeping mobile devices updated and secure. Of particular concern for the FTC were inconsistencies in the length of time that support is offered for mobile devices, the frequency of updates and the perceived lapse of time between identifying a vulnerability and effectively installing a patch on consumers’ devices. Further, the FTC was worried that information about device support and update frequency is not always clear to consumers, and is not always maintained by manufacturers. Continue Reading

NJ AG Settles with Chinese Firm Over COPPA Violations, FTC Sends Warning Letters

The NJ attorney general recently announced that it settled with a Chinese entity over violations of COPPA. The company promotes itself as a “virtual beauty counter,” and makes a variety of apps that let consumers virtually try on makeup. These apps include facial recognition technology, as well as photo-editing tools that allow users to customize and touch up their photos (the apps include Beauty Plus, AirBrush, and Meitu). The apps, according to the AG, allowed children under 13 to submit personal information without first getting parental consent, in violation of the Children’s Online Privacy Protection Act. Continue Reading

Dawn of the New FTC

On April 26, the Senate voted to confirm nominees to all five Commissioner slots on the Federal Trade Commission. It was the first time the entire FTC has been confirmed at once since its founding in 1914. The new roster of Commissioners raises new questions about the role the FTC will play in cybersecurity and privacy. It has become increasingly active in this area in recent years and wholesale turnover at the top of the Commission could have a lasting effect on this body of law. Continue Reading

Biometric Breakdown Part IV – Protecting

In continuing our series on biometrics, we conclude with an analysis of protection requirements and risks. Illinois, Texas, and Washington—the three states which have thus far implemented specific biometric privacy laws—each require companies to reasonably protect biometric data in their possession. Illinois and Texas have further specified that the data must be protected to the same degree as other confidential and secret information. All three states require that the data be destroyed within a fixed amount of time. Continue Reading

Biometric Breakdown Part III – Sharing

We’ve looked in our series to what companies should do when collecting biometric information, and now we turn to issues around sharing biometric information. The three states which have thus far enacted specific biometric privacy legislation—Illinois, Texas, and Washington—each place restrictions upon the sharing of biometric information. Illinois has imposed a blanket prohibition upon the sale of biometric information. The information may be shared if needed to complete a financial transaction authorized by the individual, if required by law, or, if the individual provides consent, for any other purpose. Continue Reading

More Breach Law Changes: Arizona Updates Notice Law

Arizona’s Governor recently signed HB2154, which expands Arizona’s data breach notice law. The law was effective upon signing, and now requires companies to notify the state attorney general when more than 1,000 individuals have been impacted. It also allows email notice if the company has the individual’s email address.  This removes the need to have email be the “primary method of communication” or be consistent with the eSign Act. Timing of notice has also changed, and must occur within 45 days instead of “in the most expedient time necessary and without unreasonable delay.” Notice in Arizona now also needs to include specific information, including the date of the breach, type of information impacted, as well as consumer reporting agencies’ and FTC contact information.  In another change, companies do not need to notify under the law if an independent forensic firm or law enforcement determine that there has been no risk of “substantial economic loss.” Continue Reading

Biometric Breakdown Part II – Collection

Continuing our series, we look today at what a company should think about when collecting biometric data. Three U.S. states—Illinois, Texas, and Washington—have laws on-point. The Illinois statute is the most specific requiring written notice disclosing the purpose of collection and the length of time biometric information will be stored. It also requires companies to obtain each individual’s written consent. Texas requires companies to inform individuals of collection and obtain consent, but neither must be written. In Washington, companies may either give notice, obtain consent, or “prevent the subsequent use of a biometric identifier for a commercial purpose.” Companies in compliance with the Illinois law would also satisfy the other states’ less specific requirements. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree