As we reported earlier today, the long-awaited White House draft of privacy and data security legislation has been released. While the United States does not today have a comprehensive privacy and data security law, the proposed Consumer Privacy Bill of Rights would impose a suite of substantive privacy and data security obligations across sectors and industries. Our sense is that it would be uphill battle for this sort of sweeping privacy legislation to gain traction in Congress over the next two years.
We have answered your key questions about this proposed legislation below, including:
Who would the bill apply to?
How is “personal data” defined under the bill?
What are the substantive obligations?
Are there any safe harbors?
How would the bill be enforced?
Does the bill preempt state laws?
The White House’s much anticipated draft privacy legislation has now been released. We are digesting its content now and will post an update with some additional comments shortly.
The draft appears to include an expansive definition of “personal data.” In addition, early press reports note that the draft bill would require companies to inform consumers and sometimes seek their consent when they want to use personal data in a different way than was originally intended. Such reports also note that the draft bill would provide the FTC civil penalty authority to enforce privacy violations.
The Third Circuit panel that will hear arguments in FTC v. Wyndham Worldwide Corp. is comprised of Judges Thomas L. Ambro, Jane R. Roth and Anthony J. Scirica. Of the three, Judge Ambro is the most recent addition to the bench, having been appointed by President Clinton in 1999 and confirmed in 2000. Both Judges Roth and Scirica were appointed by President Reagan and both have also assumed senior status on the court: Judge Roth in May 2006, and Judge Scirica July 2013.
Wyndham has received considerable attention because it raises the question of whether the “unfairness” prong of Section 5 of the FTC Act provides the Commission with the authority to bring actions involving data security. If the Third Circuit publishes its opinion in the case, the ruling would be binding in Delaware, New Jersey, and Pennsylvania.
Oral argument is scheduled for March 3, 2015 at 10:00 a.m. InsidePrivacy will be on site to report on any developments. Updates will also be available via the InsidePrivacy Twitter feed.
This week, the Medical Identity Fraud Alliance (“MIFA”) released its 2014 Fifth Annual Study on Medical Identity Theft, finding that in the last year, medical identity theft incidents increased by 21.7% from 2013. The study is annually conducted to determine the pervasiveness of medical identity theft in the United States, how it affects the lives of victims, and what steps should be taken by consumers, healthcare providers, and governments to reduce the incidence of this crime. Medical identity theft is defined by the report as occuring “when someone uses an individual’s name and personal identity to fraudulently receive medical services, prescription drugs and/or goods, including attempts to commit fraudulent billing.” In this study, medical identity theft also is deemed to occur when an individual shares his or her health insurance credentials with others. Continue Reading
On February 20, the Third Circuit sent a letter to counsel in FTC v. Wyndham Worldwide Corp., identifying at least one topic that will be addressed in the upcoming oral argument regarding the parties’ dispute over whether the FTC has the authority to regulate companies’ data security practices: whether unreasonable cybersecurity practices are “unfair.” The letter requested that counsel be prepared to address the issue by answering three questions. First, whether the FTC has declared that unreasonably security practices are “unfair” through procedures provided in the FTA Act. Second, if not, whether the FTC is requesting that the federal courts determine that unreasonable cybersecurity practices are “unfair” in the first instance. And finally, whether federal courts have the authority to determine that unreasonable cybersecurity practices are “unfair” in the first instance under a case brought under 15 U.S.C. § 53(b) (providing authority for the Commission to bring suit to enjoin a person or entity that the Commission has reason to believe is violating or is about to violate a provision of the FTC Act). The letter further indicated that the Third Circuit may also request additional briefing on these topics.
Recall that, in the District Court ruling that preceded the Third Circuit appeal, Judge Esther Salas said that the “untenable consequence” of Wyndham’s argument that the FTC provide notice as to which security practices are lawful, and which are “unfair” before bringing an enforcement action would force the FTC “to cease bringing all unfairness actions without first proscribing particularized prohibitions—a result that is in direct contradiction with the flexibility necessarily inherent in Section 5 of the FTC Act.” But the Third Circuit’s request indicates that the Third Circuit is at least considering whether to weigh in on the meaning of unfairness—particularly, whether unreasonable cybersecurity practices are unfair—something that has the potential to offer greater clarity for privacy and data security industries.
The Third Circuit’s interest in the meaning of “unfair” was shared by then-FTC Commissioner J. Thomas Rosch in his dissent from the count charging Wyndham with engaging in “unfair” practices in the initial vote authorizing staff to file the complaint. In his dissent, Rosch voiced reservations about what he viewed as an expansion of the Commission’s understanding of unfairness from instances where there is tangible harm to consumers to those where there are intangible injuries, such as unreasonable cybersecurity practices.
Last week AT&T filed a Reply in support of its Motion to Dismiss challenging the Federal Trade Commission’s (FTC’s) attempt to exercise jurisdiction over the company pursuant to Section 5 of the FTC Act.
As we previously reported, the FTC filed a complaint against AT&T alleging that the company misled consumers by reducing the data speeds for its unlimited mobile data plan customers (i.e., the alleged “throttling program”). AT&T filed a Motion to Dismiss the complaint in January, arguing that the FTC lacked jurisdiction over the company because its “status” as a common carrier places it squarely within the common carrier exemption to Section 5 of the FTC Act. The FTC responded that the common carrier exception is a narrow, “activity-based” exception that excludes an entity “only to the degree it is engaged in common carrier activities and not because of its general ‘status’ as a common carrier.” Continue Reading
Last week, the D.C. Circuit heard oral argument in the lawsuit filed against Urban Outfitters and Anthropologie over their collection of customer ZIP codes at the point of sale. The plaintiffs alleged that the practice of requesting ZIP codes at the point of sale during credit card transactions violated two D.C. statutes, the Consumer Protection (“DCCPPA”) and Consumer Identification Information (“CII”) Acts. Their complaint ultimately was dismissed at the trial court level, and they appealed. At oral argument on appeal, the plaintiffs urged the court to interpret the statutes broadly, and specifically, to consider ZIP codes an “address” within the meaning of the CII Act. This argument had been rejected by the trial court, and the appeals court questioned how a ZIP code could be considered an address when the retailers would be unable to identify from that information alone the exact location of a consumer’s home.
Before the trial court ruled, the CII Act was compared by some to California’s Song-Beverly Act, which has been used to sue some companies that collect personally identifiable information from customers at the point of sale. Massachusetts has a similar statute, which we discussed here.
By Caleb Skeath
During the White House’s inaugural Summit on Cybersecurity and Consumer Protection last Friday, President Obama signed an executive order designed to facilitate increased information sharing between the private sector and the federal government. The order follows the introduction of the Cyber Threat Sharing Act of 2015 in the Senate, an information-sharing bill modeled on the legislative proposal released by the White House in January.
By Jeff Kosseff, Meena Harris, and Caleb Skeath
- Data Breaches
- Studies show increase. Amidst a flurry of high-profile breaches during 2014, several studies confirmed that data breaches as a whole have risen significantly over the past few years. The California Attorney General released a study showing a 28% increase in breaches in 2013 as compared to 2012. Another study, which examined the volume of data breaches during the first quarter of 2014, found an increase of 233% compared to the same time period in 2013.
- State laws. In April, Kentucky became the 47th state to enact a data breach notification law. Florida and Iowa each amended their data breach notification laws in 2014 to, among other changes, enhance regulator notification requirements. California amended its data breach notice law to expand the types of information covered and to require certain companies to provide one year of free credit monitoring to affected individuals (although the statutory language on the latter point is subject to multiple interpretations).
- Federal legislation. Numerous data breach bills, including the Data Security Breach Notification Act of 2014 and the Personal Data Protection and Breach Accountability Act, were introduced in Congress, although none passed during 2014. The Senate Judiciary Committee, the Senate Commerce Committee, and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, among others, held hearings during 2014 to discuss the need to address data breaches and the possibility of enacting federal legislation.
- Federal enforcement. In the enforcement arena, the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), and state attorneys general pursued enforcement action during 2014 against companies that had suffered data breaches. The Securities and Exchange Commission also announced in April that it would conduct over 50 cybersecurity examinations of publicly traded companies. The Federal Communications Commission (“FCC”), for its part, levied a $10 million fine in October against two telecommunications carriers for exposing customer data, which represented the FCC’s first enforcement action in the wake of a data breach.
- Continued attention in 2015. Legislative interest in data breach issues has only increased in early 2015. Since President Obama proposed national data breach legislation, additional data breach notification bills have been introduced in the House and Senate. The House Subcommittee on Commerce, Manufacturing, and Trade also held a hearing on crafting a national data breach bill, debating the harm that should trigger notification obligations and the appropriate window for providing notifications.
On Sunday, the White House released a memorandum that outlines privacy protections that federal agencies must take when they use drones, and directs the National Telecommunications and Information Administration to work with the private sector to establish voluntary privacy practices for commercial drone use.
The White House issued the memorandum on the same day that the Federal Aviation Administration released a Notice of Proposed Rulemaking to allow limited commercial use of drones.
The memorandum primarily focuses on the government’s use of drones. Federal agencies currently use drones for a wide range of purposes, such as monitoring forest fires and protecting borders. Among the White House’s new restrictions on the federal government’s use of drones: