Privacy and Data Security

Following lots of legislative uncertainty, Brazil has now formally enacted the country’s first general data protection law, Lei Geral de Proteção de Dados, or “LGPD.” While administrative sanctions do not go into effect until August 1, 2021, individuals and public prosecutors can now bring claims for losses and damages. Indeed, at least one public civil action has already been filed. LGPD is the first comprehensive general data protection law in Latin America. It was modeled after the EU’s GDPR. While there are many similarities, LGPD does introduce new concepts. Below are some of the key elements to keep in mind.
Continue Reading Brazil’s Comprehensive Privacy Law Now in Effect

NIST’s new draft guidance, Special Publication 800-53B, Control Baselines for Information Systems and Organizations, provides important information on selecting both security and privacy control baselines for the Federal Government. These control baselines are from NIST Special Publication 800-53 and have been moved to this separate publication “so the SP 800-53 [can] serve as a consolidated catalog of security and privacy controls regardless of how those controls [are] used by different communities of interest.”   The new guidance addresses federal information systems and is applicable to information systems used or operated by an agency, a contractor on behalf of an agency, or another organization on behalf of an agency.
Continue Reading NIST Issues Draft Guidance on Security and Privacy Control Baselines – SP 800-53B

On February 21, the Securities and Exchange Commission issued new Interpretive Guidance regarding disclosures of cybersecurity-related information by publicly traded companies. This guidance comes in the context of public pressure on the SEC to update its 2011 Division of Corporation Finance guidance regarding cybersecurity risks and incidents. According to SEC Chairman Jay Clayton’s statement, this new document serves to reinforce and expand the prior guidance. It lays out principles that companies should follow in determining when cybersecurity information should be disclosed, and what should be disclosed.
Continue Reading SEC Takes Baby Steps on Cyber, but Signals Greater Vigilance

While they may disagree in other areas, one thing that former FBI Director James Comey, current Deputy Attorney General Rod Rosenstein, and current FBI Director Christopher Wray all have in common is their distaste for strong encryption that prevents the government from accessing information. In 2016, Comey and the Justice Department went to court to try to force Apple to help the government decrypt messages sent by the San Bernardino terrorist attackers. A few months ago, Rosenstein picked up that torch, discussing the need for government access to encrypted information in two separate speeches in October, then repeating his views in the wake of November’s mass shooting at a church in Texas. On January 10, Wray raised the subject in a speech, referring to it as “an urgent public safety issue.” At the same time, as tech companies are quick to point out, the rising tide of information snooping by foreign governments and private actors makes the need for strong encryption greater than ever. The Trump Administration’s strong law-and-order stance, and relative lack of sympathy for tech companies and civil libertarians, mean that 2018 could lead to new developments in this area.
Continue Reading The Encryption Battle Will Continue in 2018

You hopefully already know that Maryland’s amendment to its data breach notification law went into effect this week (on January 1, 2018). We anticipate that other states may follow one of Maryland’s modifications, namely its expansion of the definition of personal information. Under the amended law “personal information” now includes an expanded definition of biometric information. Biometric information is defined as any automatically generated biologic measurements, rather than just specifically listed items like fingerprints (the definition prior to the amendment). A handful of states have laws —like Maryland— that include biometric information in the definition of personal information. Those include Illinois, Nebraska, Nevada, North Carolina, Wisconsin, and Wyoming. We expect other states may join these. We also expect that states may otherwise continue to expand the definition of personal information in their breach notice laws.
Continue Reading How Will Breach Laws Develop in 2018?

As might be expected, the first year of the Trump Administration saw a lot of activity on the cybersecurity front. In May, the Administration issued its “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” As we discussed in an analysis we issued shortly thereafter, the Order brought more accountability to agencies for monitoring their own cybersecurity, and required them all to implement the NIST Cybersecurity Framework. In September, the Department of Homeland Security banned the use of products, solutions or services offered by Kaspersky Labs. And of course, cybersecurity continues to play an important role in ongoing investigations and political activities relating to the hacking of the Democratic National Committee.
Continue Reading Cybersecurity in the First Year of the Trump Administration

Following up on yesterday’s blog about profiling and automated decision making, we now look at guidance on data protection impact assessment (DPIA). The same guidance we discussed also directs companies to conduct a DPIA where profiling or automated decision making results in the “systematic and extensive evaluation” of an individual and decisions are made based on that evaluation that could have legal effects.
Continue Reading Assessing GDPR Guidelines Part II: Data Impact Assessments

The Article 29 Data Protection Working Party recently issued guidelines on how to handle profiling and automated decision making under the General Data Protection Regulation. Under GDPR, “profiling” means the automated collection of personal information in order to evaluate personal aspects about an individual. For example, companies may use profiling to predict individuals’ spending habits, targeting ads to individuals based on their internet browsing history. 
Continue Reading Assessing GDPR Guidelines Part I: Profiling and Automated Decision Making

In the latest installment of what has become a quickening trend, a New York federal court recently dismissed another yet putative FACTA class action for lack of Article III standing. On her fourth (and final) attempt, the court in the case (Fullwood v. Wolfgang’s Steakhouse, Inc.) held the plaintiff once again failed to plead a concrete injury against a New York City steakhouse that provided her with a receipt displaying the full expiration date of her credit card in 2013.
Continue Reading New York Court Scraps Another FACTA Receipt Class Action for Lack of Standing

Following up on our last post about Cyber Awareness, we now focus on cybersecurity in the workplace. All organizations – large and small, for-profit and non-profit – need to be vigilant about cybersecurity. According to one analysis, 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017, or about 10 million records a day, a 164% increase. Another study found that since 2013, a sample of company breaches had led to over $52 billion in shareholder losses.
Continue Reading Lessons Learned from Cyber Awareness Month – Part Two

Employees of Peacock Foods, an Illinois-based food product manufacturer, recently filed a lawsuit against their employer for alleged violations of Illinois’ Biometric Information Privacy Act. Under BIPA, companies that collect biometric information must inter alia have a written retention policy (that they follow). As part of the policy, the law states that they must delete biometric information after they no long need it, or three years after the last transaction with the individual. Companies also need consent to collect the information under the Illinois law, cannot sell information, and if shared must get consent for such sharing.
Continue Reading Employees Sue for Fingerprint Use