Photo of Liisa Thomas

Liisa Thomas, a partner based in the Chicago and London offices, is Leader of the firm's Privacy and Cybersecurity Practice Group.

As we reach the end of January 2021, it is becoming increasingly clear that this will be a busy year in the areas of privacy and data security. Following up on our posts discussing some of the important trends from last year, the Sheppard Mullin Privacy and Cyber Security team has put together a comprehensive resource containing all of our posts from last year.  From a focus on artificial intelligence, to international data flow and vendor transfer concerns, to ongoing enforcement of a patchwork of laws, we anticipate many of the issues facing companies in 2020 will not go away this year.

Continue Reading 2020 Privacy Year In Review

The Federal Trade Commission recently entered the biometric fray. It settled with a now-defunct photo-storage app over its use of facial recognition technology. According to the FTC, the company engaged in a variety of deceptive and unfair acts, in violation of Section 5 of the FTC Act.
Continue Reading Defunct Photo App Agrees to Erase Biometric Data in FTC Settlement

The HHS Office for Civil Rights released, at the end of last year, findings from audits it conducted in 2016 and 2017 of 166 covered entities and 41 business associates. The report represents the periodic audit that the Department of Health and Human Services must periodically conduct of covered entities and business associates for compliance with the requirements of HIPAA and the HITECH Privacy, Security, and Breach Notification Rules. There are many practical take-aways for businesses from the OCR’s report.
Continue Reading Learning from the Mistakes of Others: OCR Releases Audit Report

The FCC recently adopted new rules that will limit the volume of calls that can be made to residential phones under certain TCPA consent exceptions. The new rules affect non-telemarketing calls that use an artificial or prerecorded voice. For years, companies have been able to make unlimited numbers of these calls to residential lines without the need for prior express consent if the exceptions applied. Beginning later in 2021, companies will need to follow volume limits for the following types of exempted calls, unless they have obtained prior express consent to make more calls. The new limits will apply to calls that fall into one of these consent exceptions:
Continue Reading FCC Sets Volume Limits For Some Prerecorded Calls to Home Phones

The operator of CafePress, an online retailer that sells customizable mugs and other products, has reached an agreement with New York State Attorney General Letitia James and six other State Attorneys Generals to settle claims related to a 2019 data breach.  The breach stemmed from a cyberattack that the company suffered in early 2019. Upon learning of the attack, the company engaged a third-party investigation firm that identified a vulnerability in the company’s Structured Language Query (SQL) protocols. As a result, CafePress looked at its database and two weeks of logs but did not find evidence of any data breach.  Regardless, CafePress released a security patch to fix the vulnerability and automatically reset the passwords of all customer accounts, requiring all users to reset their passwords upon logging in.
Continue Reading New York and Others Settle with CafePress Over 2019 Data Breach

The FTC recently settled with Ascension Data & Analytics for failure to oversee service providers. Ascension provides services to mortgage companies within its corporate family of entities. According to the complaint, Ascension uses third parties to provide some of its services. One of those, OpticsML, had access to tax returns for approximately 60,000 customers. OpticsML stored the information on a cloud-based server which server was publicly accessible for a year. During that time the tax documents were accessed by unauthorized individuals. The originating IP addresses were in Russia and China.  Although the security incident was that of OpticsML, the FTC alleged that Ascension violated the Gramm-Leach-Bliley Act’s Safeguards Rule. Namely, the company failed to properly oversee its service providers and it failed to adequately assess risk. In particular, the FTC alleged that:
Continue Reading FTC Settles Over Alleged Failure to Manage Service Providers

As it closed out 2020, the Federal Trade Commission (FTC) sent out requests to nine social media and video streaming companies asking them to provide more information about how they treat consumer information. The FTC indicated that it wanted to learn more about the companies’ activities in order to inform the FTC’s approach to privacy and data security. The FTC, in particular, is focused on how the privacy practices of these entities affect children and teenagers. The FTC exercised its authority under a provision of the law that allows it to gather information generally from a particular company or industry (without bringing a specific action against the company or industry). One FTC commissioner did dissent, arguing that the request the FTC made of these companies was too broad.
Continue Reading FTC Focuses on Privacy Practices of Social Media and Video Streaming Companies

Many in the world have been watching the Brexit deal closely, including privacy lawyers and others who deal with global data transfers. Under the recently-announced deal, a temporary solution will allow companies to continue to transfer data between the UK and European Economic Area (EEA) as normal during a short post-Brexit transition period. As many know, transfers of personal data are restricted out of the EEA to third countries unless certain steps are taken or exceptions apply. One of those mechanisms being an EU determination that the country to which data is being transferred is “adequate.” With the current transition period set to expire December 31, 2020, and no adequacy decision for the UK issued yet from the Commission, companies have been worrying about how to receive data from the EEA into the UK given its impending status as a “third country.”
Continue Reading New Year, Same Transfers (for now): Temporary Brexit Deal Keeps EEA-UK Data Flowing

Alleging unfair and deceptive practices in violation of the FTC Act, the FTC recently entered into a settlement agreement with SkyMed International, Inc. The company sells travel emergency plans to individuals who sustain medical emergencies or injuries while traveling internationally, and has signed up -according to the FTC- thousands of consumers. During the sign-up process individuals provided the company with sensitive health information.
Continue Reading FTC Settles with Travel Services Provider Over Security Issues