An unnamed power company was hit with a $2.7 million fine after it was discovered that protected information associated with the company’s critical cyber assets was posted online. The data was exposed on the internet for 70 days and included IP addresses and server host names. A white hat security researcher alerted the company to the breach after it was able to access the information online. The company determined that a third-party contractor improperly copied protected company data to its unsecured network.
Continue Reading Power Company Slammed With Hefty $2.7M Fine After Data Breach

The settlement between VTech Electronics Ltd. and the FTC in the first Internet-connected toys COPPA case is a reminder for companies looking to enter the connected toys space not to forget this child-focused law.

The FTC complaint alleged that VTech violated the Children’s Online Privacy Protection Act and the FTC’s COPPA Rule because it collected personal information from children without parental consent. According to the FTC, VTech markets and sells various “electronic learning products,” which it targets to 3- to 9-year-olds. Those products have an area similar to an app store, and one of the apps available is called Kid Connect. Kid Connect, the FTC explained, lets children communicate with other users. Although parents did have to sign children up for the interactive features of the VTech products, the FTC had concerns about the compliance of the consent process. Namely, that VTech did not have a way to verify that the person submitting consent was the parent, not the child him or herself. Also of concern for the FTC, and in violation it alleged of COPPA, was not having a link to the privacy policy in all areas of Kid Connect where personal information was collected. And in some instances, like the Kid Connect registration page, the privacy policy link was not sufficiently prominent. Additionally, some of the information required by COPPA to be included in a privacy policy was missing. This included VTech’s address and email address, a full description of what information was being collected from children, and the parent’s right to review/delete children’s personal information.
Continue Reading Connected Toys, COPPA, and What’s Next

At the end of last year the Department of Health and Human Services – Office for Civil Rights announced its resolution agreement and settlement with 21st Century Oncology for $2.3 million. The company, which billed itself as the largest operator of cancer treatment centers in the world, filed for bankruptcy in May of 2017.  OCR’s press release of the breach settlement stated that 21st Century Oncology was twice notified by the FBI in 2015 that patient information had been illegally obtained and was being sold.  Following notice, the company determined through an internal investigation that the attacker may have accessed its network SQL database through the remote desktop protocol in early October of 2015 and that 2,213,597 individuals were potentially impacted.  Information accessed included names, dates of birth, social security numbers, physicians’ names, diagnoses, treatments, and insurance information.
Continue Reading HHS-OCR Closes 2017 with Six Figure Settlement in PHI Data Breach Impacting Over 2 Million Individuals

The Ninth Circuit recently joined the Third Circuit in defining PII under the VPPA as “information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” In the case, Eichenberger v. ESPN, Inc., the court found that because an ordinary person could not have identified the plaintiff from the information ESPN divulged to a third party (the plaintiff’s Roku serial device number and video history), the plaintiff failed to state a claim. For that reason the Ninth Circuit affirmed dismissal of the VPPA claim.
Continue Reading ESPN Knocks VPPA Suit Out Of The Park

France’s data protection commissioner joins others in taking action against toymaker Genesis Toys related to its popular internet-connected toys My Friend Cayla and i-Que Robot. Last December, a number of consumer groups filed complaints with regulators in the U.S. and Europe raising privacy and security concerns about the toys. The groups asserted that the toys fail to meet U.S. and E.U. privacy and data protection standards because the toys record and collect the conversations of children without parental consent and without limitations on the collection, use, or disclosure of the information, and because the toys can be easily hacked by third parties.
Continue Reading France Joins Others, Enforces Against Connected Toys

Employees in Illinois are continuing to file class action complaints against their employers. Bob Evans Restaurants and Suparossa Restaurant Group are two of the latest to be accused of violating the Illinois Biometric Information Privacy Act. Both companies’ employees took issue with their employers’ use of their fingerprints and other biometric information in time-clock and point of sale systems. The employees alleged that their employers collected and used their information without the written consent necessary under BIPA. As we have written previously class action lawyers are increasingly bringing cases alleging violations of the law.
Continue Reading BIPA Fingerprint Suits Continue

The International Conference of Data Protection and Privacy Commissioners, a collection of data and privacy regulators from around the world, recently issued non-binding guidance concerning the privacy rights of autonomous and connected vehicle users. The guidance calls on manufacturers and service providers to “fully respect the users’ rights to the protection of their personal data and privacy and to sufficiently take this into account at every stage of the creation and development of new devices or services.” The guidance may instruct future international data enforcement actions, meaning entities could be fined for failing to comply. Among its many instructions, the guidance encourages manufacturers and service providers to:
Continue Reading Global Body Issues Guidance for Autonomous and Connected Vehicles

A Florida court recently broke with other district courts in its circuit when it concluded that a plaintiff lacks standing to sue a defendant for mere technical violation of the Fair and Accurate Credit Transactions Act (FACTA) unless the plaintiff has been harmed. FACTA prohibits printing more than the last five digits of a credit card number or the expiration date on a receipt. In the case in question (Gesten v. Burger King Corp.) the plaintiff alleged that Burger King violated FACTA when it provided him with a receipt which identified his payment method as a debit card, identified the issuing company (e.g., Visa, American Express), and included the first six and last four digits of his account number.
Continue Reading FACTA Suit Dismissed for Lack of Harm

How The EU Data Privacy Regulation Will Affect American Companies’ Data Collection and Processing Practices – and Their Revenue

For American companies who do business in Europe or who process the personal data of EU residents, the world of data privacy and security is about to get much more complicated. While U.S. privacy law is unsettled, with rapidly proliferating state and federal laws and regulations and uncertainty as to how strictly they will be enforced, the rules in the European Union are tough and about to get much tougher. The General Data Protection Regulation (EU) 2016/679 (GDPR), slated to take effect in May 2018, will give consumers in the EU substantially more control over how their personal data is used. The increased control includes the right to:

  1. access any personal data that has been collected,
  2. obtain confirmation about whether an individual’s data is being processed, and
  3. require that the data be “erased” if the consumer withdraws consent.


Continue Reading The GDPR and The Bottom Line