Later this week, January 28, 2021 will mark International Privacy Day: a day corporations release educational efforts around privacy and data protection. There are many reasons to approach privacy proactively in 2021: (1) January 28 will mark the second week of a new US administration, one which will likely focus more on privacy and data security; and (2) laws and enforcement in this area continue to change and develop, as we reported last year. With this in mind, privacy and data security practitioners may find themselves behind with reactive approaches. Reactivity is also costly, both monetarily and resource-use wise.
Continue Reading Developing a Right-Sized Privacy Program

As 2020 comes to a close, we take this opportunity to look back at some of the more significant developments that we discussed in the blog this year. The first is the EU Court of Justice’s Schrems II decision, finding that the EU-U.S. Privacy Shield was not a valid mechanism for transferring personal data from the EU to the U.S. Related decisions came out of Switzerland and Israel.
Continue Reading 2020 In Review: Dealing With Schrems II Fallout

Vermont recently enacted a data broker security law, one of the first of its kind. The law requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about consumers with whom the business does not have a direct relationship.
Continue Reading Vermont Is First Mover Regulating Data Brokers

Louisiana’s breach notice law has been amended to require companies to protect personal information. The definition of personal information matches that which -if breached- would give rise to a duty to notify. This includes name combined with social security numbers, drivers’ license (and state ID/passport numbers) or financial account numbers. The law applies to companies that “maintain computerized information” and require that entities (1) have reasonable security procedures and practices “appropriate to the nature of the information” that protects against unauthorized access, destruction, use, modification and disclosure and (2) destroy personal information or make it unreadable when it is no longer needed by “shredding, erasing” or making the information otherwise unreadable.  Louisiana joins a growing list of states that have such data protection requirements, including California, Connecticut, Delaware, Florida, Massachusetts, Nevada, and New Jersey to name but a few. The requirement goes into effect August 1, 2018.
Continue Reading Louisiana Adds Data Security Requirements to Breach Notice Law

There were new developments regarding the Sabre cyber breach this past week, as the travel industry and the public are learning more about its scope and scale.

To recap, in early May, Sabre, Inc., which provides electronic travel booking services, disclosed that it was investigating “an incident of unauthorized access to payment information contained in a subset of hotel reservations processed through [its] Hospitality Solutions SynXis Central Reservations system.” That system serves 32,000 properties. Sabre stated that it had shut off the unauthorized access and had engaged a security forensics firm to investigate.
Continue Reading Sabre Cyber Breach: New Developments

How The EU Data Privacy Regulation Will Affect American Companies’ Data Collection and Processing Practices – and Their Revenue

For American companies who do business in Europe or who process the personal data of EU residents, the world of data privacy and security is about to get much more complicated. While U.S. privacy law is unsettled, with rapidly proliferating state and federal laws and regulations and uncertainty as to how strictly they will be enforced, the rules in the European Union are tough and about to get much tougher. The General Data Protection Regulation (EU) 2016/679 (GDPR), slated to take effect in May 2018, will give consumers in the EU substantially more control over how their personal data is used. The increased control includes the right to:

  1. access any personal data that has been collected,
  2. obtain confirmation about whether an individual’s data is being processed, and
  3. require that the data be “erased” if the consumer withdraws consent.

Continue Reading The GDPR and The Bottom Line

On February 29, 2016, the European Commission and United States released the terms of the much-anticipated renewed framework for the transfer, sharing, and processing of European individuals’ data to the United States. The framework replaces the “Safe Harbour” mechanism, which enabled U.S. companies to transfer data from the EU to the United States by self-certifying that their practices ensured an adequate level of protection for personal data under the EU Data Protection Directive. In October, the “Safe Harbour” framework was declared invalid by the European Court of Justice in the Schrems decision covered earlier in this blog.
Continue Reading EU-US Privacy Shield: Brace Yourself . . . or Maybe Not