Category Archives: Privacy

Subscribe to Privacy RSS Feed

Privacy, Data Security, and Your Board: Day Five

In our final installment on privacy, cyber security, and your board, we look at privacy and cyber issues in M&A. So you are thinking about acquiring a new entity? Divesting of current one? Due diligence will need to be conducted to best understand and evaluate privacy and data security issues and risks. Your board will … Continue Reading

Privacy, Data Security, and Your Board: Day Four

In our fourth installment of privacy, data (cyber) security, and your board, we look at crisis management and data breach issues. As part of providing appropriate duty of care and oversight, board members will want to ensure that the company has an incident response plan in place. They should review and understand the plan. They … Continue Reading

Privacy, Data Security, and Your Board: Day Three

In our ongoing conversation about privacy, data security and your board, we turn next to cyber insurance and vendor management. Boards, when executing their duty of care, should keep in mind that while there may be some coverage for data incidents under a company’s CGL and D&O policies, there may be significant gaps in coverage … Continue Reading

Privacy, Data Security, and Your Board: Day Two

In our continuing series about privacy, data security and your board, we next turn to how to best educate a board. Yesterday we mentioned about how board members have a duty of care. Part of that duty includes effectively overseeing matters relating to privacy and data security (or the often-used buzzword “cybersecurity”). How can board … Continue Reading

Justice Department Creates Cyber-Digital Task Force

On February 20, the Department of Justice announced that Attorney General Sessions had created a new, cross-departmental Cyber-Digital Task Force. He directed the Task Force to advise him on the most effective ways for DOJ to confront cyber threats and keep Americans safe. Specifically, the Task Force is charged with canvassing the work the Department … Continue Reading

Connected Toys, COPPA, and What’s Next

The settlement between VTech Electronics Ltd. and the FTC in the first Internet-connected toys COPPA case is a reminder for companies looking to enter the connected toys space not to forget this child-focused law. The FTC complaint alleged that VTech violated the Children’s Online Privacy Protection Act and the FTC’s COPPA Rule because it collected … Continue Reading

Car Dealer’s Attempt to Crash Data Privacy Class Action Sputters Out

A Texas court recently affirmed the vitality of potential nationwide class actions brought under the federal Driver’s Privacy Protection Act (“DPPA”), in a case brought by an individual whose personal information had allegedly been obtained illegally from the Texas DMV database. The case was filed by a local individual, Arthur Lopez, who complained of getting … Continue Reading

How to Prepare Interest-Based Video Ads for the April 1 Deadline

The Better Business Bureau’s Online Interest Based Advertising Accountability Program announced that that it will require interest-based video ads to provide notice and choice to viewers as of April 1, 2018, as we reported in our Advertising blog, in compliance with the Digital Advertising Alliance’s self-regulatory principles for interest-based advertising. As providers of interest-based video … Continue Reading

2018: The Year of the FTC and Informational Injuries?

What constitutes actionable consumer injuries post-breach or data misuse is a hotly contested topic. As we reported in our Advertising blog late last year the FTC hosted a workshop on December 12th to look at the issue. A large focus during the workshop was what constitutes harm to consumers. While there is a school of thought that … Continue Reading

The Encryption Battle Will Continue in 2018

While they may disagree in other areas, one thing that former FBI Director James Comey, current Deputy Attorney General Rod Rosenstein, and current FBI Director Christopher Wray all have in common is their distaste for strong encryption that prevents the government from accessing information. In 2016, Comey and the Justice Department went to court to … Continue Reading

As GDPR Looms, Australia to Participate in APEC’s CBPR Program

Late last year, Australia’s Attorney General confirmed that Australia planned to participate in APEC’s Cross Border Privacy Rules (CBPR) system. The CBPR system was intended to help companies that want to transfer personal data across the borders of participating countries. Currently there are five participating countries: Canada, Japan, South Korea, Mexico, and the US. This … Continue Reading

2018 Likely a Year of Rising Government Standards for Securing Information

For companies that do business with the government, 2017 was a year of transition, as many began to follow the NIST Cybersecurity Framework, worked to accomplish Federal Risk and Authorization Management Program (FedRAMP) certification, or rushed to rid their systems of products from Kaspersky Lab. Perhaps most significant was the rush of Pentagon contractors to come … Continue Reading

ESPN Knocks VPPA Suit Out Of The Park

The Ninth Circuit recently joined the Third Circuit in defining PII under the VPPA as “information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” In the case, Eichenberger v. ESPN, Inc., the court found that because an ordinary person could not have identified the plaintiff from the information ESPN … Continue Reading

France Joins Others, Enforces Against Connected Toys

France’s data protection commissioner joins others in taking action against toymaker Genesis Toys related to its popular internet-connected toys My Friend Cayla and i-Que Robot. Last December, a number of consumer groups filed complaints with regulators in the U.S. and Europe raising privacy and security concerns about the toys. The groups asserted that the toys … Continue Reading

NIST’s Highly-Anticipated Security Requirements Draft Impacts Government Contractors’ Treatment of CUI

Government contractors have until December 31 to implement security requirements from NIST Special Publication (SP) 800-171 (here) as mandated by the Defense Federal Acquisition Regulation Supplement (DFARS). The requirements include provisions for protecting Controlled Unclassified Information (CUI) (government sensitive but unclassified information; see the CUI Registry here) in nonfederal systems and compliance is expected soon to … Continue Reading

Assessing GDPR Guidelines Part II: Data Impact Assessments

Following up on yesterday’s blog about profiling and automated decision making, we now look at guidance on data protection impact assessment (DPIA). The same guidance we discussed also directs companies to conduct a DPIA where profiling or automated decision making results in the “systematic and extensive evaluation” of an individual and decisions are made based … Continue Reading

Assessing GDPR Guidelines Part I: Profiling and Automated Decision Making

The Article 29 Data Protection Working Party recently issued guidelines on how to handle profiling and automated decision making under the General Data Protection Regulation. Under GDPR, “profiling” means the automated collection of personal information in order to evaluate personal aspects about an individual. For example, companies may use profiling to predict individuals’ spending habits, targeting … Continue Reading

Lessons Learned from Cyber Awareness Month – Part Two

Following up on our last post about Cyber Awareness, we now focus on cybersecurity in the workplace. All organizations – large and small, for-profit and non-profit – need to be vigilant about cybersecurity. According to one analysis, 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017, or … Continue Reading

Global Body Issues Guidance for Autonomous and Connected Vehicles

The International Conference of Data Protection and Privacy Commissioners, a collection of data and privacy regulators from around the world, recently issued non-binding guidance concerning the privacy rights of autonomous and connected vehicle users. The guidance calls on manufacturers and service providers to “fully respect the users’ rights to the protection of their personal data and … Continue Reading

FTC Gives COPPA Guidance on Voice Recordings

The FTC announced that it has given guidance on when the Children’s Online Privacy Protection Act (COPPA) requires collection of parental consent before collecting voice recordings online from children under 13. The issue arose because, as the FTC noted, voice is beginning to be a “replacement for written words,” especially when conducting searches or instructing … Continue Reading

Dish Network to Dish Out $341M for TCPA Violations

Two recent judgments against Dish Network LLC (“Dish”) for violations of the Telephone Consumer Protection Act (TCPA) and similar state and federal laws demonstrate the significant liability companies may face based on the actions of their third-party contractors. Dish has been ordered to pay a total of approximately $341 million in two separate federal court … Continue Reading

FTC / DAA Extend Data Privacy Focus to Cross-Device Tracking

Enforcement of the Digital Advertising Alliance “Application of the Principles of Transparency and Control to Data Used Across Devices” (DAA Cross-Device Principles) officially began on February 1, just a week after the FTC issued a staff report discussing the application of the FTC Online Behavioral Advertising Principles in the context of “Cross Device Tracking” and … Continue Reading