Follow: Email

Canada’s new data breach law, The Personal Information Protection and Electronic Documents Act (“PIPEDA”), took effect on November 1. Official guidance released by the country’s Privacy Commissioner explains a few of the law’s key provisions that will affect organizations, specifically, breach reporting and notification obligations, their triggers, and record retention.

Reporting & Notification Obligations

Under the new law, an organization must report and notify individuals of a data breach involving personal information under its control if it reasonably determines the breach creates a “real risk of significant harm” to an individual, regardless of the number of individuals affected. (The guidance states a covered breach that affects only one individual would nonetheless require reporting and notification.) Importantly, the organization that controls the data is required to report and notify individuals of the breach—the guidance clarifies that even when an organization has transferred data to a third-party processor, the organization remains ultimately responsible for reporting and notification. The guidance encourages organizations to mitigate their risk in the event their third-party processor faces a breach by entering sufficient contractual arrangements.

Notification to individuals must be given “as soon as feasible” after the organization has determined a covered breach has occurred. The guidance states the notification must be conspicuous, understandable, and given directly to the individual in most circumstances. It must include enough information to communicate the significance of the breach and allow the those affected to take any steps possible to reduce their risk of harm. The regulations further specify the information a notification must include. In certain circumstances, organizations are also required to notify governmental institutions or organizations of a covered breach; for example, an organization may be required to notify law enforcement if it believes it may be able to reduce the risk of harm.


Continue Reading Canadian Privacy Commissioner Releases Official Guidance as Data Breach Law Takes Effect

Twenty years ago, the Supreme Court was faced with the question of whether a federal statute that imposed a content-based restriction on online speech violated the First Amendment. That case, Reno v. American Civil Liberties Union, marked the first instance in which the Supreme Court weighed in on the role of the Internet in the marketplace of ideas, and decided affirmatively that speech on the Internet is afforded protection under the First Amendment.

Over the course of the twenty years following Reno, the Internet has changed in size, shape, and substance. In 1997, about 40 million people used the Internet and “most colleges and universities,” “many corporations,” “many communities and local libraries,” and “an increasing number of storefront ‘computer coffee shops’” provided the public access to the Internet. Today, at least 280 million Americans use the Internet, 102 million U.S. households have in-home broadband Internet access, and 225 million Americans access the Internet through their mobile device. In 1997, popular uses of the Internet included e-mail, listservs, newsgroups, chatrooms, and the “World Wide Web” (which then consisted of around 100,000 websites), but today, social media dominates, with an estimated 81% percent of Americans participating.

Despite the seismic changes to the Internet since the Reno case was decided, the Court’s views on online speech have remained largely consistent, albeit more tailored to the times. Recently, in Packingham v. North Carolina, the Court struck down a content-neutral state law that restricted sex offenders’ access to “social networking” websites, finding that it violated the First Amendment. The significance of the Packingham opinion, particularly in its partial extension of Reno, goes beyond the four corners of the Court’s holding.


Continue Reading Reno at 20: The Packingham Decision and the Supreme Court on Online Speech

On February 9, 2017, six Democratic senators wrote to DHS Secretary John Kelly about their concerns over a Trump executive order that would remove Privacy Act protections for non-U.S. citizens and lawful permanent residents.

Senators Ed Markey (MA), Ron Wyden (OR), Jeff Merkley (OR), Al Franken (MN), Chris Coons (DE), and Mazie Hirono (HI) wrote that Section 14 of the order would make it easier for government agencies to share non-citizens’ personal information with Congress and the public.
Continue Reading Senators Seek Answers from DHS on Privacy Aspects of Trump Order, Including Privacy Shield

On December 1, 2016, the Commission on Enhancing National Cybersecurity released its Report on Securing and Growing the Digital Economy. In its Report, the Commission, established in February 2016 by President Obama, provided detailed short- and long-term recommendations to strengthen cybersecurity in the public and private sectors. The Commission took a multi-stakeholder approach, emphasizing the need for broad public-private cooperation, defined consumer rights and responsibilities, and international streamlining efforts. The Report focused on eight cybersecurity topics identified in the Commission’s charging Executive Order: federal governance, critical infrastructure, cybersecurity research and development, cybersecurity workforce, identity management and authentication, Internet of Things, public awareness and education, state and local government cybersecurity, and additionally insurance and international issues.

After studying these eight critical areas, the Commission articulated ten foundational principles that shaped its recommendations in the Report. These principles focused on the growth in size and density of Internet-connected systems, United States and federal government leadership in cybersecurity innovation, private-public collaboration, clear definitions of authority and accountability, consumer education, user-friendly cybersecurity products, privacy and trust development, the unique needs and constraints of small businesses, and designing incentives for innovation.

The Report then enumerated myriad imperatives, recommendations, and action items for the current and next Presidential administrations to develop robust cybersecurity in the nation.
Continue Reading The Commission on Enhancing National Cybersecurity Releases Its Report on Securing and Growing the Digital Economy