California is the latest state to enact legislation restricting the circumstances under which employers or schools can demand access to employees’ or students’ personal social media accounts. California Gov. Jerry Brown signed two bills into law on Sept. 27. The first, A.B. 1844, bars employers from requiring or requesting that employees or job applicants disclose … Continue Reading
Despite studies indicating that data security is a top concern for executives and corporate boards — a development we previously blogged about here — barely half of employees are familiar with their company’s information security policies, according to a survey by Forrester Research. The report explains, “only 56 percent of information workers in North America … Continue Reading
Last Friday, Rep. Zoe Lofgren (D-CA) introduced the ECPA 2.0 Act, H.R. 6529, which would strengthen the legal standards for law enforcement to gain access to electronic communications and location information. The Electronic Communications Privacy Act (ECPA) is more than 25 years old and is widely seen as needing modernization to address changes in digital … Continue Reading
Updated on October 1, 2012 to add information about Chairman Leibowitz’s response to the nine Representatives’ letter. As we previously noted, in March of this year the Federal Trade Commission called for the implementation of a Do Not Track (DNT) system that allows consumers to opt out of the collection of all online behavioral data … Continue Reading
On September 17, the Department of Health and Human Services (HHS) announced a settlement with Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (collectively, MEEI) for alleged violations of the HIPAA Security Rule. Under the Resolution Agreement, MEEI agreed to pay $1.5 million to HHS and take corrective action to improve … Continue Reading
Recently, the National Institute of Standards and Technology (NIST) announced over $9 million in grants to five U.S. entities to develop technologies to “pilot identity solutions that increase confidence in online transactions, prevent identity theft, and provide individuals with more control over how they share their personal information.” Funded projects will address issues including commerce, … Continue Reading
The European Data Protection Supervisor (EDPS), Peter Hustinx, recently published a response to a European Commission consultation on reform of the “notice-and-action” (“N&A”) procedure rules — i.e., the legal regime that requires Internet intermediaries to remove hosted content when they are notified that such content is illegal. As set out in more detail below, the … Continue Reading
In the wake of the Senate’s failure to pass comprehensive cybersecurity legislation in August and amid continued discussion about the possibility of a cybersecurity executive order, Senator Jay Rockefeller has sought information directly from Fortune 500 companies. Senator Rockefeller has urged President Obama to issue a cybersecurity executive order, but in a letter sent to … Continue Reading
A three-member panel of the National Labor Relations Board (NLRB) found that it is impermissible for Costco’s social media policy to ban employees from making electronic postings that damage the reputation of the company or anyone else. The NLRB held that policy was not permissible because Costco employees could reasonably assume that it prohibited communications … Continue Reading
A new bill introduced by Rep. Ed Markey, titled the Mobile Device Privacy Act, would require mobile device sellers, manufacturers, service providers, and app offerors to disclose to consumers the existence of any monitoring software. Monitoring software is defined as “software that has the capability to monitor the usage of a mobile device or the … Continue Reading
According to a number of media outlets, the Senate Judiciary Committee will consider proposed amendments to the Video Privacy Protection Act (“VPPA”) and to Title II of the Electronic Communications Privacy Act, better known as the Stored Communications Act (“SCA”). The amendments reportedly will be offered by Judiciary Chairman Patrick Leahy (D-VT), and likely will … Continue Reading
Yesterday, the Federal Trade Commission (“FTC”) approved an agreement with MySpace to settle charges that the company misrepresented the extent to which it shared personal information with third-party advertisers. MySpace’s privacy policy suggested that it would not share personally identifiable information (“PII”) with third parties without the user’s permission, but the Commission alleged that this … Continue Reading
On 11 September 2012, the UK Information Commissioner’s Office (ICO) announced that it had fined the Scottish Borders Council £250,000 under the Data Protection Act 1998 (the DPA) following the discovery of a former Council employee’s pension records in a supermarket’s car park paper recycling bank. The document was one of at least 676 files … Continue Reading
Late last month — in a decision that seems to have been largely overlooked in the privacy trade press — a federal judge in Illinois held [PDF] that the Wiretap Act did not prohibit the interception of communications sent over unsecured Wi-Fi networks provided by hotels, restaurants, coffee shops and other commercial entities. The decision came … Continue Reading
Before recessing in August, the Senate considered, but failed to pass, comprehensive cybersecurity legislation, the Cybersecurity Act of 2012 (S. 3414) (“CSA2012”). Shortly thereafter, during a Council on Foreign Relations event on August 8, Deputy National Security Adviser John Brennan stated that the President is considering using an executive order to implement portions of the … Continue Reading
This week, the much talked-about amendments to Texas’s breach notice statute took effect. We previously blogged about these amendments, which are unprecedented in scope. With the amendments, the Texas statute now requires entities doing business in Texas to notify “any individual” whose “sensitive personal information” is acquired in a breach (unless the information is encrypted). … Continue Reading
The Federal Trade Commission has released a guide, Marketing Your Mobile App: Get It Right from the Start, to help mobile application developers comply with truth-in-advertising standards and privacy principles. Although the guide is informal and not binding guidance, it does represent helpful FTC commentary. The guide notes that a one-size fits all approach is not workable since … Continue Reading
On 4 September, 2012, the Cayman Islands’ Data Protection Working Group (DPWG) released a consultation paper, inviting comments from the public on the draft Cayman Islands Data Protection Bill 2012. The Bill, which is modelled on the European Framework Data Protection Directive 95/46/EC, aims to protect individuals’ rights regarding the collection and use of personal … Continue Reading
In an interview with Information Security Media Group, William Henley, Associate Director of the Federal Deposit Insurance Corporation’s (FDIC) Technology Supervision Branch, discussed the status of the banking industry’s implementation of FFIEC authentication guidance released in July 2011. Henley generally said that the industry was working towards compliance and offered that FDIC examiners at this stage … Continue Reading
On 21 August 2012, the European Commission issued an Implementing Decision (the “Decision”) confirming that the Eastern Republic of Uruguay provides an adequate level of protection for personal data transferred from the European Union. The effect of the Decision is to allow organizations established in European Member States to transfer personal data to organizations in … Continue Reading
