The world of data privacy often focuses on how companies are using consumers’ information and what measures those companies take to protect such information.  Each of the fifty states have enacted laws that require entities to notify individuals of security breaches involving personally identifiable information (although those laws vary greatly).  Additionally, twenty-five states have laws that address the data security practices of private sector entities.  But what happens when a privacy breach originates not from a company, but from a government agency?  
Continue Reading

Although not a new practice, the application of geofencing continues to increase in sophistication and expand into personal space on an unprecedented scale, jumping beyond commercial retail advertising schemes and diving into the depths of employment, health care, law enforcement, and politics. As the growth of these applications prompt privacy and security concerns, including government surveillance concerns, regulations lag and may be further delayed considering lawmakers’ very use of geofencing to win a governing seat.

Geofencing is the practice of using wireless internet, cellular data, global positioning system (GPS) or radio-frequency identification (RFID), or a combination of such technologies, to create a virtual boundary around a particular geographic area. When a smart-phone, tablet, or other targeted device crosses over the geofence perimeter, it triggers a response from the geofence software. So-called “active” geofencing technology powers things like home applications or “apps” that automatically adjust ambient temperature and lighting when a person enters their house. “Passive” geofencing technology is used to both (1) push advertising and other information to consumers through social media apps and other channels and (2) monitor or pull information about a consumer’s habits.
Continue Reading

The European Union’s (EU) ambitious and far-reaching regulation, the General Data Protection Regulation (GDPR), became effective on 25 May 2018. On the one-year anniversary, we reflect on some of the principal developments following the implementation of the GDPR

European privacy values: a cultural shift

Critics have derided the GDPR for placing an onerous and expensive compliance burden on businesses, causing confusion and creating ‘data privacy fatigue’ amongst consumers and businesses alike.

Conversely, the furore has generated significant publicity around the GDPR, contributing to a cultural shift towards greater consumer empowerment and control over personal information. Public awareness of the GDPR is high – in May 2018, GDPR was searched more often on Google than either Beyoncé or Kim Kardashian. Individuals have a better understanding of their rights in respect of their personal data – which presents more of a risk to data controllers.

Equally, GDPR has completely changed the risk profile of data protection for most businesses. Under the previous, weakly enforced regime, most businesses treated data protection as a low risk issue. Under the new regime, data protection has become a high-risk issue.
Continue Reading

European Commission Comments on GDPR’s One-Year Anniversary

On the one-year anniversary of the GDPR, Andrus Ansip, Vice-President for the Digital Single Market and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality has released a joint statement on the momentous law: “The main aim of the rules has been to empower people and help them to gain more control over their personal data. This is already happening as people are starting to use their new rights and more than two-third of Europeans have heard of the regulation.”  The entire statement can be found here.

FTC Extends Comment Deadline on Proposed Changes to Safeguards Rule

The FTC has extended the deadline to submit comments on proposed changes to the Safeguards Rule by 60 days until August 2nd.  In March, the FTC announced it was seeking comment on proposed changes to the Gramm-Leach-Bliley Act’s Safeguards Rule as well as the Privacy Rule. These regulations require financial institutions to inform customers about its information-sharing practices. More information can be found here.

FBI Reports That Cybercrime Cost $2.7B in 2018

The FBI’s annual Internet Crime Report, states that IC3 received 351,936 complaints in 2018 which is about 900 every day. The statement released with the report said, “[t]he most frequently reported complaints were for non-payment/non-delivery scams, extortion, and personal data breaches. The most financially costly complaints involved business email compromise, romance or confidence fraud, and investment scams, which can include Ponzi and pyramid schemes.” More information can be found here.
Continue Reading

Last week, the IAPP hosted its annual Global Privacy Summit in Washington, D.C.  This year’s summit was the IAPP’s largest event, with more than 4,000 attendees from around the world.  From day 1, it was clear that the summit was heavily focused on the California Consumer Privacy Act of 2018 (CCPA), with many of the conferences covering the CCPA’s nuances, and tech vendors, legal professionals, and consultants offering compliance solutions for this new law.
Continue Reading

On April 16, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting Regulation S-P compliance deficiencies and issues it found in recent examinations of broker-dealers and investment advisers.  Regulation S-P is the primary SEC rule detailing the safeguards these firms must take to protect customer privacy.  The Risk Alert provides an important reminder for firms to assess their supervisory and compliance programs related to Regulation S-P and make any necessary changes to strengthen those systems.  Indeed, in light of the substantial fines that can accompany a finding that Regulation S-P has been violated, firms must pay careful attention to the OCIE’s guidance regarding potential pitfalls.
Continue Reading

Proposed Bill Makes Dramatic Changes To North Carolina Security Breach Notification Law

Some of the proposed changes include:

  • Businesses would have to “[i]implement and maintain reasonable security procedures and practices, appropriate to the nature of the personal information and the size, complexity, and capabilities of the business.”;
  • Businesses would be required to offer at least two years of free credit monitoring; and
  • Replacing the current “without unreasonable delay” standard for breach notification to “as soon as practicable, but not later than thirty (30) days after discovery of the breach or reason to believe a breach has ”

A copy of the bill can be found here.

24 Tech Companies Support CCPA amendment

According to the DuckDuckGo Blog, 24 different tech companies have written a letter in support of the CCPA amendment. The blog states, “CCPA is set to take effect in 2020 and is without a doubt a major advancement in individual privacy rights for Americans. As an Internet privacy company that empowers users to take control of personal information, we support the law. And we want to see it become even better.” A copy of the letter can be found here.
Continue Reading

What is this bill?  A new bill introduced in the U. S. Senate on March 14, 2019 would require companies to obtain explicit user consent before facial recognition data could be collected and shared. The bill is known as the Commercial Facial Recognition Privacy Act of 2019, and was introduced by Sens. Brian Schatz. D- Hawaii and Roy Blunt, R-Missouri.

What does the bill prohibit?  The bill makes it unlawful for any covered entity to knowingly use facial recognition technology to collect facial recognition data, UNLESS the covered entity obtains explicit consent from the individual after providing notice to such individuals. The bill would also require that covered entities notify individuals whenever their facial recognition data is used or collected.
Continue Reading

FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules

The FTC is seeking comment on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule requires a financial institution to maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers

On January 25, 2019, the Illinois Supreme Court issued a highly anticipated ruling in the Rosenbach v. Six Flags case regarding enforcement of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA or the Act).  In its unanimous ruling, the Court held that a procedural violation of the Act, even absent a showing of actual injury, is sufficient to confer standing to sue for a BIPA violation.

This means that an employer who, for example, uses employee fingerprint data for timekeeping purposes could be on the hook for a BIPA violation for failure to follow the comprehensive notice-and-consent rules set forth in the Act.

Whether the Rosenbach ruling will trigger a spike in biometric privacy litigation against private employers remains to be seen.  For now, understanding BIPA and key compliance principles can help employers mitigate against some of the risks inherent in collecting employee biometric data.
Continue Reading