Caleb Skeath

Caleb Skeath

Caleb Skeath advises clients on a broad range of privacy and data security issues, including regulatory inquiries from the Federal Trade Commission, data breach notification obligations, compliance with consumer protection laws, and state and federal laws regarding educational and financial privacy.

Subscribe to all posts by Caleb Skeath

FTC and Department of Education Announce Joint Workshop on FERPA and COPPA Compliance for Ed Tech

Earlier this week, the Federal Trade Commission and Department of Education announced plans to hold a joint workshop on the application of the Children’s Online Privacy Protection Act (“COPPA”) and the Family Educational Rights and Privacy Act (“FERPA”) to educational technology products and services in the K-12 school environment.  In advance of the workshop, the … Continue Reading

Preparation and Practice: Keys to Responding to a Cyber Security Incident

In the immediate aftermath of discovering a cybersecurity incident, companies often face many questions and few answers amidst a frenzy of activity.  What happened?  What should we do now?  What legal risks does the company face, and how should it protect against them?  In this fast-paced environment, it can be difficult to coordinate the activity … Continue Reading

Delaware Amends Data Breach Notification Law to Require Credit Monitoring, Attorney General Notification

Delaware Gov. John Carney has signed into law a bill that will impose more stringent obligations for notifying affected Delaware residents in the event of a data breach, in addition to establishing requirements for Delaware businesses to maintain “reasonable” data security practices.  In addition to expanding the types of information that would require notification of … Continue Reading

New Mexico Becomes 48th State with Data Breach Notification Law; Tennessee Restores Exemption for Encrypted Data

Last week, New Mexico and Tennessee both passed legislation updating each state’s requirements for notifying residents following a data breach.  New Mexico’s new law, H.B. 15, makes it the 48th U.S. state to enact a state data breach notification law, leaving Alabama and South Dakota as the only states that have not enacted similar laws.  … Continue Reading

Updated OMB Breach Response Policy Includes Required Breach-Related Provisions for Federal Agency Contracts

Last week, the Office of Management and Budget issued an updated breach response policy for federal agencies, replacing a policy last updated in 2007.  The policy, set forth in memorandum M-17-12, provides minimum standards for federal agencies in preparing for and responding to breaches of personally identifiable information (PII).   In addition to setting forth requirements … Continue Reading

FTC Issues Guidance for Responding to Data Breaches

On Tuesday, the FTC issued new guidance for businesses on responding to data breaches, along with an accompanying blog post and video.  The data breach response guidance follows the issuance of the FTC’s “Start with Security” data security guidance last year and builds upon recent FTC education and outreach initiatives on data security and cybersecurity … Continue Reading

Seventh Circuit, Relying on Defendant’s Post-Breach Statements, Allows Data Breach Class Action to Proceed

Last week, the Seventh Circuit handed down another friendly ruling for data breach class action plaintiffs, reversing a district court’s dismissal of a class action complaint over a 2014 data breach at P.F. Chang’s restaurants.  In reversing the district court’s holding that the plaintiffs had not demonstrated Article III standing, the Seventh Circuit ruled that … Continue Reading

Tennessee Amends Breach Notification Law to Cover Breaches of Encrypted Information

Last week, Tennessee Governor Bill Haslam (R) signed S.B. 2005 into law, amending Tennessee’s breach notification law to broaden the scope of information covered and require quicker notifications of the state’s residents.  Most notably, when the amendments enter into force on July 1, 2016, Tennessee will become the only U.S. state that could require notification … Continue Reading

CFPB Issues $100,000 Fine in First-Ever Data Security Enforcement Action

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered into a consent order with online payment systems operator Dwolla, Inc., based on allegations that Dwolla deceived consumers about its data security practices and the safety of its online payment system. The CFPB brought this action under its authority in Sections 1031(a) and 1036(a)(1) … Continue Reading

Privacy Shield: Top Five Reasons It’s Tougher Than the Safe Harbor, Whether You Should Certify, and Next Steps

As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce.  Commerce’s release coincided with the release of a draft adequacy decision by the European Commission. A … Continue Reading

White House’s Cybersecurity National Action Plan (CNAP) Includes Cybersecurity Awareness Campaign, Creation of Federal Privacy Council

Following the announcement of the President’s Cybersecurity National Action Plan (CNAP), an initiative designed to “enhance cybersecurity capabilities within the Federal Government and across the country,” the White House has released a fact sheet outlining the different components of the CNAP.  The announcement of the CNAP follows the President’s request for $19 billion in funding … Continue Reading

FTC Releases Agenda for First-Ever PrivacyCon

On Tuesday, the FTC announced the agenda for PrivacyCon, which is being billed as a “first-of-its-kind event” that will facilitate discussions between researchers and academics about privacy and security.  The FTC also released abstracts for the research that will be presented at the conference, scheduled for January 14.  PrivacyCon follows a call from the FTC … Continue Reading

FTC Appeals Dismissal of Data Security Complaint Against LabMD

Last Wednesday, the FTC took the next step in its ongoing Section 5 enforcement proceedings against LabMD, filing a formal notice seeking an appeal of Administrative Law Judge Chappell’s initial decision before the full Commission.  Judge Chappell’s initial decision, announced on November 13, dismissed the FTC’s complaint against LabMD, finding that the FTC failed to … Continue Reading

Administrative Law Judge Dismisses FTC’s LabMD Complaint, Finding Insufficient Evidence of “Substantial Injury” to Consumers

On Friday, November 13, Federal Trade Commission (FTC) Chief Administrative Law Judge Chappell issued an Initial Decision dismissing the FTC’s complaint against LabMD, on the ground that the Commission’s staff had failed to carry its burden of demonstrating a “likely substantial injury” to consumers resulting from LabMD’s allegedly “unfair” data security practices. While Judge Chappell’s … Continue Reading

Third Circuit Resurrects State Law Claims Against Google in Safari Cookie Tracking Lawsuit

Last week, the Third Circuit revived a multi-district privacy lawsuit against Google, finding that the trial court erred in dismissing the plaintiffs’ privacy claims under California state law.  The case centers around the plaintiffs’ allegations that Google violated state and federal law by circumventing the Safari browser’s default “cookie blocker” settings to track users’ online … Continue Reading

Following TCPA Omnibus Order, Court Reaffirms Prior Ruling in Dismissing TCPA Text Message Lawsuit Against AOL

In one of the first decisions evaluating Telephone Consumer Protection Act (TCPA) claims under the FCC’s recent omnibus TCPA order, the Northern District of California dismissed a putative class action lawsuit alleging that AOL violated the TCPA when users of its Instant Messenger service (AIM) sent text messages to incorrect recipients.  After the court dismissed … Continue Reading

Third Circuit Upholds FTC’s Data Security Authority in FTC v. Wyndham

The Third Circuit released its decision in FTC v. Wyndham Worldwide Corp. earlier today, affirming the district court’s decision that the FTC has the authority to regulate companies’ data security practices under the “unfair practices” prong of Section 5 of the FTC Act.  The highly anticipated precedential opinion dismissed Wyndham’s arguments that the FTC lacks … Continue Reading

Fiat-Chrysler Recalls 1.4 Million Vehicles In Response to Security Vulnerability

Last Friday, Fiat Chrysler announced the recall of 1.4 million vehicles to fix security vulnerabilities, further highlighting the importance of properly addressing cybersecurity issues created by the use of connected devices.  The recall follows an article published last Tuesday by Wired magazine which described methods used by security researchers to remotely access a Jeep Cherokee, … Continue Reading

Ten Key Takeaways From Last Week’s TCPA Order

Last week, the Federal Communications Commission (FCC) released the text of its long-awaited order addressing certain aspects of the Telephone Consumer Protection Act (TCPA) and related FCC rules.  The order addressed a total of 21 petitions seeking “clarification or other actions” regarding the TCPA, principally in connection with automated calls and text messages. Although the … Continue Reading

FTC Releases “Start with Security” Guide to “Practical Lessons” From Data Security Enforcement Actions

As part of its ongoing outreach efforts to educate businesses about the importance of data security practices, the FTC has released a list of “10 practical lessons” drawn from its previous data security enforcement actions.  The list, entitled “Start with Security: A Guide for Business,” acknowledged that the FTC’s 50-plus data security enforcement actions are … Continue Reading

Supreme Court Strikes Down Ordinance Authorizing Warrantless Searches of Hotel Records

On June 22, the Supreme Court issued its decision in Los Angeles v. Patel, striking down a Los Angeles city ordinance that allowed law enforcement to inspect hotel guest registers on demand as facially unconstitutional.  Writing for a 5-4 majority, Justice Sotomayor held that the ordinance violated the Fourth Amendment by failing to provide for … Continue Reading

Court Dismisses Text-Message TCPA Suit Against AOL, Finding Instant Messaging Service Does Not Constitute an ATDS

On June 1, the Northern District of California dismissed a putative TCPA class action against AOL, finding that the plaintiff had failed to allege that AOL utilized an automated telephone dialing system (ATDS), as required to state a cause of action under the TCPA.  In dismissing the plaintiff’s complaint in Derby v. AOL, the court … Continue Reading

Court Certifies Nationwide Class in Yahoo Email Scanning Litigation

Last Tuesday, District Judge Lucy Koh of the Northern District of California partially granted the plaintiffs’ motion for class certification in In re Yahoo Mail Litig., allowing the plaintiffs to pursue their claims for injunctive relief on behalf of class members under the Stored Communications Act (“SCA”) and California’s Invasion of Privacy Act (“CIPA”).  The plaintiffs, … Continue Reading
LexBlog