House Unanimously Passes Email Privacy Act

On April 27, the House of Representative unanimously passed the Email Privacy Act.  As previously reported, the proposed changes would strengthen the privacy protections for email and other cloud-storage services by closing a loophole that allowed law enforcement to access older data without obtaining a warrant.

However, while there is widespread support to require warrants for older emails, there remain some substantial disagreements about other proposed reforms to the 30-year-old law.  For example, the House Judiciary committee rejected proposed provisions that would have (1) required government agencies to notify targets of a warrant after their information was provided to the government; and (2) applied the warrant requirement to a customer’s geolocation information ; and (3) created a carve-out for regulators like the FTC and the SEC, who asked for a way to obtain customer emails without a criminal warrant, which may be unavailable in civil cases.

Now that the Act has passed the House, there is renewed pressure on the Senate to take up its version, the Electronic Communications Privacy Act Amendments Act of 2015, which is currently in front of the Judiciary Committee.  Senator Chuck Grassley, the Chairman of the Senate Judiciary Committee, promised that he “plan[s] on taking a close look at the bill that passed the House, and talking with interested stakeholders and members of this committee to try to find a path forward for ECPA reform here in the Senate.”  However, he noted that “members of this committee on both sides of the aisle have expressed concerns about the details of this reform and whether it’s balanced to reflect issues raised by law enforcement.”  Senator Patrick Leahy and Senator Mike Lee, two of the co-sponsors to the Senate bill, urged the Senate to “take up and pass this bipartisan, common-sense legislation without delay.”

FTC’s Jessica Rich Argues IP Addresses and Other Persistent Identifiers Are “Personally Identifiable”

In a blog post published on the Federal Trade Commission (FTC) website, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, recently stated that:

“we regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”

The post (which reiterates Ms. Rich’s remarks at the Network Advertising Initiative’s April meeting) suggests a shift in the FTC’s treatment of IP addresses and other numbers that identify a browser or device.   The FTC previously has taken the position that browser and device identifiers are deserving of privacy protections, but the FTC generally has avoided classifying these identifiers as equivalent to personally identifiable information (such as name, email, and address) except in the narrow context of children’s privacy.  (The FTC’s rule implementing the Children’s Online Privacy Protection Act defines “personal information” to include a “persistent identifier that can be used to recognize a user over time and across different Web sites or online services.”) Continue Reading

Verizon Releases 2016 Data Breach Investigations Report

Verizon recently released its 2016 Data Breach Investigations Report (“DBIR”) that outlines cybersecurity threats, vulnerabilities, and trends from 2015.  Verizon, with the assistance of more than 60 contributors, analyzed over 64,000 information security incidents (security events that affect the integrity of an information system) and 2,200 data breaches (incidents that result in the “confirmed disclosure of data to an unauthorized party”) affecting organizations in 82 countries. Items of particular interest in this year’s report include among others:  (1) an analysis of attacks by industry; (2) an increase in breach discovery time; and (3) a list of the most prevalent attacks or types of threats.  A brief description of each of these items follows.

Continue Reading

OCR Steps Up HIPAA Enforcement Following Breaches of Protected Health Information

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has been busy.  In addition to its recent efforts to begin audits of covered entities and business associates, OCR has announced a slew of enforcement actions against covered entities for alleged HIPAA violations.

Continue Reading

Senate Panel Passes “Internet of Things” Bill

Yesterday, the Senate Commerce Committee passed a bill meant to increase government involvement in the development of the “Internet of Things” (IoT).

By a voice vote, the committee approved the Developing Innovation and Growing the Internet of Things (DIGIT) Act, sponsored by Sen. Deb Fischer (R-Neb.), Sen. Kelly Ayotte (R-N.H.), Sen. Cory Booker (D-N.J.), and Sen. Brian Schatz (D-Hawaii).  The bill would require the establishment of a working group tasked with identifying proposals meant to facilitate IoT growth.  The working group would include representatives from the Transportation Department, the Commerce Department, the Federal Trade Commission, the Federal Communications Commission, Office of Science and Technology Policy, and the National Science Foundation.  Separately, the Commerce Department recently issued a Request For Public Comment seeking comment on the role of government in fostering the advancement of IoT.

The bill also sets up a steering committee that will include industry stakeholders.  Both the working group and the steering committee will examine a range of IoT issues, including the regulatory challenges that may limit the growth of IoT and the availability of wireless spectrum for IoT devices.  The committee also approved several minor amendments to the bill, which, among other things, expanded the government agencies involved in the working group.

Digital Single Market – New Initiatives for Cloud Computing and Internet of Things

By Vera Coughlan, Monika Kuschewsky and Kristof Van Quathem

Yesterday, the European Commission launched its “Digitising European Industry” package, a series of industry related initiatives aimed at “updating Europe’s digital infrastructure”, see press release here, Q&A here and homepage here.  The package includes reports and proposals addressing cloud computing, ICT standardization, eGovernment, Internet of Things (“IoT”), quantum technologies and high performance computing / big data.

Below we summarize the data protection aspects of the key communications published yesterday. Continue Reading

Seventh Circuit, Relying on Defendant’s Post-Breach Statements, Allows Data Breach Class Action to Proceed

Last week, the Seventh Circuit handed down another friendly ruling for data breach class action plaintiffs, reversing a district court’s dismissal of a class action complaint over a 2014 data breach at P.F. Chang’s restaurants.  In reversing the district court’s holding that the plaintiffs had not demonstrated Article III standing, the Seventh Circuit ruled that the risk of future fraudulent charges and identity theft created by the breach as reported by P.F. Chang’s constituted a “certainly impending” future injury sufficient to confer Article III standing.  This decision builds on an earlier ruling from the Seventh Circuit that revived a data breach suit filed against Neiman Marcus, and will create further incentives for future plaintiffs to file data breach class action lawsuits in the federal courts of Illinois, Indiana, and Wisconsin, when jurisdictionally possible.

Continue Reading

How Merck Achieved BCRs and CBPRs Simultaneously

Merck & Co. recently became the first company to achieve simultaneous approval for its cross-border data transfer strategies through binding corporate rules (BCRs) under principles of the European Union and the cross-border privacy rules (CBPR) process under principles of the Asia-Pacific Economic Cooperation region.  Subscribers to Law360 learned how Merck achieved this goal in an article by Hilary Wandall, Merck’s chief privacy officer, and Covington partner Dan Cooper yesterday, and that article is now available on the Covington website here.

EU Passes Sweeping New Privacy and Data Security Laws

As forecast in our latest blog on the topic (available here), the European Parliament today voted into law a new General Data Protection Regulation (“GDPR”) that will replace the EU’s all-encompassing Data Protection Directive as of mid-2018.

Today’s vote brings to a close a legislative process that has lasted nearly five years; the law’s official publication, which should be forthcoming, will start the clock on a two-year transition period until the new rules take effect.

The GDPR was approved by the European Parliament today as part of a contentious package of laws that also includes a new Passenger Name Records (“PNR”) Directive, aimed at wider collection and sharing of traveler data for counter-terrorism and crime prevention purposes; and a Policing and Criminal Justice Data Protection Directive (“PCJ DPD”) that will regulate law enforcement agencies’ use of personally identifying information.

The Parliament’s approval of the PCJ DPD enshrines it into law, while the PNR Directive still requires, as a mere formality, approval by the Council of the EU.  Both laws are also scheduled to take effect in mid-2018.

For more on what the GDPR means for organizations active on the European market, see here, and tune into Covington’s free GDPR Webinars for further expert commentary; Workshop 3 takes place on April 21, and further events are planned in May, June, September and October this year.