Taking further steps into the world of cryptocurrency, two entities of the federal government recently took legal action against BitFunder, a now-defunct Bitcoin exchange, and its founder, Jon Montroll. The Securities and Exchange Commission filed civil charges against BitFunder and Montroll, and the U.S. Attorney’s Office in Manhattan brought criminal charges of perjury and obstruction of justice against Montroll, who was arrested and taken into custody. BitFunder was an exchange that, among other things, empowered its customers to create and trade Bitcoin denominated shares of enterprises. The numerous allegations and charges against the defendants include:
Continue Reading Crypto-Crime: The SEC and DOJ Go After BitFunder and Its BitFounder

On February 21, the Securities and Exchange Commission issued new Interpretive Guidance regarding disclosures of cybersecurity-related information by publicly traded companies. This guidance comes in the context of public pressure on the SEC to update its 2011 Division of Corporation Finance guidance regarding cybersecurity risks and incidents. According to SEC Chairman Jay Clayton’s statement, this new document serves to reinforce and expand the prior guidance. It lays out principles that companies should follow in determining when cybersecurity information should be disclosed, and what should be disclosed.
Continue Reading SEC Takes Baby Steps on Cyber, but Signals Greater Vigilance

The Ninth Circuit recently joined the Third Circuit in defining PII under the VPPA as “information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” In the case, Eichenberger v. ESPN, Inc., the court found that because an ordinary person could not have identified the plaintiff from the information ESPN divulged to a third party (the plaintiff’s Roku serial device number and video history), the plaintiff failed to state a claim. For that reason the Ninth Circuit affirmed dismissal of the VPPA claim.
Continue Reading ESPN Knocks VPPA Suit Out Of The Park

Following up on yesterday’s blog about profiling and automated decision making, we now look at guidance on data protection impact assessment (DPIA). The same guidance we discussed also directs companies to conduct a DPIA where profiling or automated decision making results in the “systematic and extensive evaluation” of an individual and decisions are made based on that evaluation that could have legal effects.
Continue Reading Assessing GDPR Guidelines Part II: Data Impact Assessments

The Article 29 Data Protection Working Party recently issued guidelines on how to handle profiling and automated decision making under the General Data Protection Regulation. Under GDPR, “profiling” means the automated collection of personal information in order to evaluate personal aspects about an individual. For example, companies may use profiling to predict individuals’ spending habits, targeting ads to individuals based on their internet browsing history. 
Continue Reading Assessing GDPR Guidelines Part I: Profiling and Automated Decision Making

Following up on our last post about Cyber Awareness, we now focus on cybersecurity in the workplace. All organizations – large and small, for-profit and non-profit – need to be vigilant about cybersecurity. According to one analysis, 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017, or about 10 million records a day, a 164% increase. Another study found that since 2013, a sample of company breaches had led to over $52 billion in shareholder losses.
Continue Reading Lessons Learned from Cyber Awareness Month – Part Two

The Consumer Financial Protection Bureau (CFPB) recently released a set of Consumer Protection Principles aimed at the Fintech field. The Principles describe obligations when sharing or aggregating consumer financial information. The CFPB regulates and enforces consumer financial laws, and issued this release as part of its review of the Fintech industry. These Principles follow a request for information that the CFPB issued late last year, as well as insights from stakeholders that the CFPB summarized at the time it released the Principles.
Continue Reading CFPB Provides Guidance on Consumer Data Protection

Employees in Illinois are continuing to file class action complaints against their employers. Bob Evans Restaurants and Suparossa Restaurant Group are two of the latest to be accused of violating the Illinois Biometric Information Privacy Act. Both companies’ employees took issue with their employers’ use of their fingerprints and other biometric information in time-clock and point of sale systems. The employees alleged that their employers collected and used their information without the written consent necessary under BIPA. As we have written previously class action lawyers are increasingly bringing cases alleging violations of the law.
Continue Reading BIPA Fingerprint Suits Continue

The International Conference of Data Protection and Privacy Commissioners, a collection of data and privacy regulators from around the world, recently issued non-binding guidance concerning the privacy rights of autonomous and connected vehicle users. The guidance calls on manufacturers and service providers to “fully respect the users’ rights to the protection of their personal data and privacy and to sufficiently take this into account at every stage of the creation and development of new devices or services.” The guidance may instruct future international data enforcement actions, meaning entities could be fined for failing to comply. Among its many instructions, the guidance encourages manufacturers and service providers to:
Continue Reading Global Body Issues Guidance for Autonomous and Connected Vehicles

The FTC announced that it has given guidance on when the Children’s Online Privacy Protection Act (COPPA) requires collection of parental consent before collecting voice recordings online from children under 13. The issue arose because, as the FTC noted, voice is beginning to be a “replacement for written words,” especially when conducting searches or instructing digital devices. COPPA requires collecting parental consent before collecting personally identifiable information from children online. The definition of “personal information” under COPPA is broad, and includes audio files. Arguably, then, online operators would need parental consent before children “submitted” audio files, including in the form of conducting verbal searches or giving verbal instructions to their connected device.
Continue Reading FTC Gives COPPA Guidance on Voice Recordings

A Florida court recently broke with other district courts in its circuit when it concluded that a plaintiff lacks standing to sue a defendant for mere technical violation of the Fair and Accurate Credit Transactions Act (FACTA) unless the plaintiff has been harmed. FACTA prohibits printing more than the last five digits of a credit card number or the expiration date on a receipt. In the case in question (Gesten v. Burger King Corp.) the plaintiff alleged that Burger King violated FACTA when it provided him with a receipt which identified his payment method as a debit card, identified the issuing company (e.g., Visa, American Express), and included the first six and last four digits of his account number.
Continue Reading FACTA Suit Dismissed for Lack of Harm