Updates on Developments in Data Privacy and Cybersecurity
The UK Supreme Court has granted Google the right to appeal part of the English and Welsh Court of Appeal’s notable ruling in Google Inc. v. Vidal-Hall & Ors [2015] EWCA Civ 311.
Our previous blog highlighted the facts of the case (brought by Internet users against Google’s ad-tracking…
Continue Reading UK Supreme Court Will Hear Google’s Appeal in Important Privacy Case
Last Friday, Fiat Chrysler announced the recall of 1.4 million vehicles to fix security vulnerabilities, further highlighting the importance of properly addressing cybersecurity issues created by the use of connected devices. The recall follows an article published last Tuesday by Wired magazine which described methods used by security researchers to…
Continue Reading Fiat-Chrysler Recalls 1.4 Million Vehicles In Response to Security Vulnerability
A second round of “trilogue” negotiation on the EU General Data Protection Regulation (GDPR), on July 14th, has addressed the law’s territorial scope and rules relating to international data transfers (Articles 3 and Chapter 5, respectively).
Although no agreed text has been released, public comments made by Jan Philipp Albrecht, the European Parliament’s lead negotiator on the GDPR, indicate that agreement has been reached “in principle” on most of the provisions discussed. (For a video of his comments, please see here, from 3:10:00 to 3:20:00.) However, some issues remain to be resolved, and it is expected they will be addressed when negotiations resume in September.Continue Reading Progress on EU GDPR Reform: International Aspects Debated
Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems may proceed with their proposed class action lawsuit against the retailer, a federal appeals court ruled Monday.
Neiman Marcus discovered in December 2013 that some of its customers had found fraudulent charges on their credit cards, and after an investigation the retailer disclosed in early January 2014 that a data breach had exposed about 350,000 credit cards, of which 9,200 were known to have been used fraudulently. The plaintiffs sued Neiman Marcus, alleging — among other claims — that the company was negligent, breached its implied contract with customers, engaged in unfair and deceptive business practices, and violated state data breach laws.
Monday’s ruling comes at a preliminary stage of the case and addressed only whether the plaintiffs’ allegations, if proved, would meet the requirements of Article III of the U.S. Constitution, which requires that federal courts hear only actual “cases or controversies.” The Supreme Court has held that this requirement bars lawsuits where the plaintiffs have not alleged that they have suffered or imminently will suffer a concrete injury. The Supreme Court emphasized in a 2013 ruling, Clapper v. Amnesty International USA, that plaintiffs seeking to establish standing based on a risk of future injury must show that the threatened injury is “certainly impending,” a standard plaintiffs in other data breach cases have struggled to meet.
Continue Reading Data Breach Plaintiffs Allege Enough Risk of Harm for Suit to Proceed, Appeals Court Rules
Last week, the Federal Communications Commission (FCC) released the text of its long-awaited order addressing certain aspects of the Telephone Consumer Protection Act (TCPA) and related FCC rules. The order addressed a total of 21 petitions seeking “clarification or other actions” regarding the TCPA, principally in connection with automated calls and text messages.
Although the order purports only to “clarify” existing FCC precedent, there is widespread debate over whether the order imposed new requirements on entities that transmit automated calls and text messages. The order already has been appealed by one party and other appeals are expected. Nevertheless, because the FCC claims the order only clarifies existing precedent, its provisions became effective when the order was released on July 10, 2015.
The order focuses on ten key areas, which are summarized after the jump.
Continue Reading Ten Key Takeaways From Last Week’s TCPA Order
On July 6, 2015, China’s National People’s Congress (NPC) released a draft of the Network Security Law (“Draft Law,” referred to in some press articles as the draft Cybersecurity Law) for public comment. Comments can be submitted through the NPC website or by mail before August 5, 2015. The release of the Draft Law follows closely on the heels of the new National Security Law that was enacted last week (see Covington blog post here).
This Draft Law, initially reviewed by the NPC in June, would apply broadly to entities or individuals that construct, operate, maintain, and use networks within the territory of China, as well as those who are responsible for supervising and managing network security. A number of the provisions in this Draft Law, if enacted in their current form, are likely to significantly impact information and communications technology (“ICT”) and other companies with business operations or interests in China.
Those that most merit the close attention of companies are those that relate to (1) the “secure” operations of networks and “critical information infrastructure,” and (2) data protection. This post focuses on the latter.
Continue Reading China Releases Draft of New Network Security Law: Implications for Data Privacy & Security
In a consent decree adopted yesterday by the Federal Communications Commission, two telecommunications carriers — TerraCom, Inc., and YourTel America, Inc. — agreed to pay a $3.5 million civil penalty and adhere to a three-year compliance program to settle allegations that the carriers violated the federal Communications Act by failing to adequately protect “proprietary information” the carriers collected from consumers applying for federally subsidized phone service under the Lifeline program. The consent decree reiterates the FCC’s interpretation of Sections 201 and 222 of the federal Communications Act — first articulated in a October 2014 decision proposing to fine TerraCom and YourTel $10 million — broadening telecommunications carriers’ privacy and data security obligations. The consent decree also settles allegations that YourTel failed to de-enroll certain subscribers after being instructed to do so by the Universal Service Administrative Company, which administers Lifeline.
Continue Reading Carriers Agree to $3.5 Million FCC Fine For Alleged Privacy Violations
On July 1, 2015, China’s State Administration for Industry and Commerce published a draft of the Interim Measures on Supervision of Internet Advertising (“Draft Internet Advertising Measures”; original Chinese here) for public comment. If adopted as drafted, the Draft Internet Advertising Measures would (1) require advertisements in email and instant messaging to contain conspicuous options for the user to agree to, refuse, or unsubscribe from advertisements; (2) require websites to allow users to block pop-ups for certain repeat visitors; and (3) require advertisements sent via email or instant message to identify the sender and be marked as an advertisement. Public comments on the Draft are due by July 31, 2015. Once finalized, the Draft is expected to come into effect on September 1, 2015.
Continue Reading Draft Regulations in China Preview Stricter Rules on Internet Advertising
As part of its ongoing outreach efforts to educate businesses about the importance of data security practices, the FTC has released a list of “10 practical lessons” drawn from its previous data security enforcement actions. The list, entitled “Start with Security: A Guide for Business,” acknowledged that the FTC’s 50-plus data security enforcement actions are only binding on the individual companies subject to each action, but states that “learning about alleged lapses that led to law enforcement can help your company improve its practices.” In addition to ten “lessons,” the list included several subcategories of advice for each lesson drawn from prior FTC enforcement actions. As with all FTC “best practice” guides, this document does not state binding rules of law, but is a view into the FTC’s thinking on data security enforcement.
Here’s a brief overview of the matters included in the FTC’s list.
Continue Reading FTC Releases “Start with Security” Guide to “Practical Lessons” From Data Security Enforcement Actions
