As 2019 begins, we are one year away from the highly anticipated California Consumer Privacy Act of 2018 (CCPA or the Act) going into effect. As companies update their privacy policies to comply with the CCPA, it is essential to determine whose personal information the Act protects. Two issues businesses should consider when updating their data privacy policies are: (i) the geographic residence of the individuals whose information is collected; and (ii) whether the Act applies to their employees. Continue Reading Defining “Consumer” Under The California Consumer Privacy Act
Recent developments in privacy law and a rise in class action lawsuits related to data collection offer a cautionary tale about understanding legal and ethical boundaries of monitoring “on-the-clock” employee conduct. With a hodgepodge of federal, state, and local legislation governing employee privacy rights, employers are often left to navigate a complicated legal landscape while balancing the practical need to understand how employees are using company information and equipment. Employers, for example, have a legitimate interest in protecting company trade secrets, detecting unlawful transmission of unlicensed material, and improving work productivity. Employees, on the other hand, may have a reasonable expectation of privacy in certain contexts while at work.
This quandary begs the question, where do employers draw the line? Continue Reading Workplace Monitoring: Where Do Employers Draw The Line?
The General Data Protection Regulation (GDPR) imposes strict obligations upon organizations that process the “personal data” of European individuals. Failure to comply with GDPR can result in large fines. The UK’s Information Commissioner’s Office (ICO), in recent months, issued a number of fines of £500,000 on global businesses with household names, and such fines have generated a lot of publicity. Many onlookers would be shocked by the magnitude of those fines but may not have appreciated that they were imposed under the Data Protection Act 1998, which was in force when the offending breaches occurred. Had the breaches taken place after May 25th of this year, when the GDPR took effect, those fines would more than likely have been significantly higher.
Businesses have therefore invested significant resources and money to make sure that they do not fall foul of the obligations imposed by the GDPR. Yet, within less than a year of the GDPR becoming binding law, those same businesses face further disruption as Brexit looms. Continue Reading Implications of Brexit on GDPR
Beginning in 2020, California residents will have the right to opt out of the sale of their personal information under the California Consumer Privacy Act of 2018 (CaCPA or also called CCPA). It is time to revisit your third-party service provider agreements. Companies now have two reasons to ensure that service provider agreements restrict the use or sale of personal information: to comply with CaCPA and to reduce risk of an FTC enforcement action. Continue Reading Preparing for 2020: Check In On Your Vendors
Effective October 1, 2018, Connecticut has the most stringent requirement—24 months—for free mitigation services that must be provided to those affected by a data breach of personally identifiable information (in the case of Connecticut: (A) Social Security number; (B) driver’s license number or state identification card number; (C) credit or debit card number; or (D) financial account number in combination with any required security code, access code or password that would permit access to such financial account).
With a new high-water set, it is likely that other states will quickly follow suit. In the meantime, for entities that are responding to a multi-state data breach that includes Connecticut, there will now be a business decision of whether or not to offer 24 months of services to all affected individuals regardless of state law requirements (some of which are silent and the rest of which require 12 months of services).
The convergence of the General Data Protection Regulation and the investigation into Russian interference in the 2016 election has created a perfect privacy storm. Social media platforms’ complacency on this front, and the resulting public backlash, have further amplified the pressure on legislatures to react. Although state legislatures have been quick to do so (most notably California, which passed a sweeping new privacy law in June), Congress has not.
Recently, Senator Mark Warner (D-VA) issued a draft white paper proposing 20 policy approaches to combat these issues. The proposals seek to enhance user privacy, increase transparency, and dam the deluge of misinformation that, to date, has run through social media platforms largely unchecked.
Personal information has become the prey of relentless poachers. In light of the influx of data breaches, state legislatures are taking action. Not surprisingly, now every state has enacted data breach notification laws, which are triggered when personal information is breached. Read below for a summary of relevant state legislation recently adopted or laws recently amended that pertaining to data breach notification.
Arizona amended its data breach notification law, effective July 21, 2018. This amendment requires companies to notify affected consumers within a 45-day window upon discovery of a data breach. If the data breach impacts more than 1,000 consumers, companies must also notify the state attorney general as well as the three largest consumer credit reporting agencies. The state attorney general can also impose up to $500,000 in penalties for a company’s non-compliance.
On August 1, 2018, NIST will withdraw eleven SP 800 publications that are considered out of date. These publications will not be revised. According to NIST the following publications will be withdrawn:
- SP 800-13 (October 1995), Telecommunications Security Guidelines for Telecommunications Management Network
- SP 800-17 (February 1998), Modes of Operation Validation System (MOVS): Requirements and Procedures
- SP 800-19 (October 1999), Mobile Agent Security
- SP 800-23 (August 2000), Guidelines to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products
- SP 800-24 (April 2001), PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
- SP 800-33 (December 2001), Underlying Technical Models for Information Technology Security
- SP 800-36 (October 2003), Guide to Selecting Information Technology Security Products
- SP 800-43 (November 2002), Systems Administration Guidance for Securing Windows 2000 Professional System
- SP 800-65 (January 2005), Integrating IT Security into the Capital Planning and Investment Control Process
- SP 800-68 Rev. 1 (October 2008), Guide to Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist
- SP 800-69 (September 2006), Guidance for Securing Microsoft Windows XP Home Edition: A NIST Security Configuration Checklist
More information about these publications and the reason for withdrawal can be found here.
Yesterday Gov. Jerry Brown signed California Consumer Privacy Act of 2018, which grants California residents unprecedented control over the collection, use, and sale of personal information. Many have already speculated that other state legislatures will follow suit and adopt a similar law in their own states, as has occurred in the wake of past California laws on data privacy and security. A copy of the law can be found here.
After 25 May 2018, data protection will be a high-risk issue for all retailers who fall within the scope of the GDPR. Organizations can be fined up to 4% of annual worldwide turnover or 20 million euros (whichever is greater) for violations of the GDPR. Moreover, the GDPR applies to any business that targets goods or services at individuals located in the EU – so retailers can be caught by the GDPR even if they have no physical presence in the Union.
Retailers should pay particular attention to how they obtain customers’ consent to marketing. The GDPR requires a high standard for consent to use personal data, and violation of the consent is a serious infringement.