Archives: United States

Subscribe to United States RSS Feed

New ECPA Reform Legislation Introduced in the Senate

By Lauren Moxley In late July, three bipartisan bills to reform the Electronic Communications Privacy Act of 1986 (“ECPA”) were introduced in the Senate. Each of the bills propose different updates to ECPA, which governs law enforcement access to consumer information stored with service providers. As we have discussed here, here, here, and here, the … Continue Reading

A Summary of the Recently Introduced “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”

On August 1, 2017, a bipartisan group of Senators introduced legislation (fact sheet) that would establish minimum cybersecurity standards for Internet of Things (“IoT”) devices sold to the U.S. Government.  As Internet-connected devices become increasingly ubiquitous and susceptible to evolving and complex cyber threats, the proposed bill attempts to safeguard the security of executive agencies’ … Continue Reading

D.C. Circuit: Data Breach Plaintiffs Plausibly Allege ‘Substantial Risk’ of
ID Theft Sufficient to Support Standing

Customers’ allegations that they face a substantial risk of identity theft as a result of a 2014 data breach are sufficiently plausible to allow their suit against health insurer CareFirst to proceed, the U.S. Court of Appeals for the D.C. Circuit held in an August 1 decision. CareFirst discovered in April 2015 — and announced … Continue Reading

Department of Justice Releases Guidance for Vulnerability Disclosure Programs

Last week, the U.S. Department of Justice (“DOJ”) released a voluntary framework for organizations to use in the development of a formal program to receive reports of network, software, and system vulnerabilities, and to disclose vulnerabilities identified in other organizations’ environments.  This framework provides private entities a series of steps to establish a formal program … Continue Reading

California Bill Poised to Change Regime Governing the Internet of Things

A bill pending in the California legislature, if passed, would create new obligations for manufacturers of “connected devices.” S.B. 327 (also known as the “Teddy Bear and Toaster Act”) would operate somewhat differently than existing laws, such as the California Online Privacy Protection Act (“CalOPPA”). Security obligations. Manufacturers of connected devices that sell those devices … Continue Reading

FCC Fines Calling Platform $2.88 Million for TCPA Violations

Last week, the FCC issued a forfeiture order against Dialing Services, LLC (“Dialing Services”) $2,880,000, finding that Dialing Services made automated calls to wireless phones without prior express consent, in violation of the Telephone Consumer Protection Act (“TCPA”).  Dialing Services is a platform that offers automated calling services to its customers, and this Order is … Continue Reading

New Jersey Enacts Law Limiting Ability of Retail Establishments to Scan State-Issued IDs

On July 21, New Jersey Governor Chris Christie signed into law the Personal Information Privacy Protection Act (PIPPA) (S. 1913), which limits the circumstances under which “retail establishments” (retailers) can collect and use information obtained by scanning the state-issued identification cards of customers. The new law limits the ability of retailers to scan the barcode … Continue Reading

FTC Announces “Stick With Security” Initiative

The FTC announced today a new “Stick With Security” Initiative, building on its prior “Start With Security” guide as “part of its ongoing efforts to help businesses ensure that they are taking reasonable steps to protect and secure consumer data.”  Stick With Security constitutes a series of blog posts published each Friday using “hypothetical examples … Continue Reading

New York DFS Publishes FAQs on New Cybersecurity Regulations

As our readers know, New York’s Department of Financial Services (“NY DFS”) released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 (23 NYCRR 500).  Among other things, the regulations require regulated entities to conduct cyber risk assessments and … Continue Reading

FTC and NHSTA Hold Workshop to Drive Discussion on Connected Cars

On June 28, 2017, The Federal Trade Commission and the National Highway Traffic Safety Administration (NHTSA) hosted a workshop  to examine the consumer privacy and security issues that automated and connected motor vehicles pose.  The workshop’s Public Notice, which solicited comments from stakeholders in advance of the event, highlighted the benefits that connected cars can … Continue Reading

FTC Launches Review of Its Email Marketing Rule

Today the FTC announced that it is undertaking a review of its CAN-SPAM Rule, which sets out the requirements for sending commercial e-mail messages.  Among other things, the CAN-SPAM Rule requires that senders of commercial e-mails provide recipients a mechanism to opt out of receiving commercial e-mails, honor opt-out requests within 10 business days, and include specific disclosures in the … Continue Reading

FTC Staff Publish COPPA Guidance for Businesses

The FTC staff published today a “Six-Step Compliance Plan” for businesses to comply with the Children’s Online Privacy Protection Act (COPPA). The guidance, which provides a useful framework for businesses, states explicitly that COPPA applies to connected toys and other devices that collect personal information from children over the Internet.  The FTC’s 2013 revisions to the COPPA Rule greatly expanded … Continue Reading

Senate, House, and FTC Seek to Steer the Course of Self-Driving Vehicles

Members of Congress are gearing up for national laws on autonomous vehicles. Last week in the Senate, John Thune (R-S.D.), Gary Peter (D-Mich.), and Bill Nelson (D-Fla.) released a list of principles for bipartisan legislation in advance of a hearing they convened on June 14, 2017, entitled “Paving the Way for Self-Driving Vehicles.”  In the … Continue Reading

Second Circuit in Silk Road Appeal: No Fourth Amendment Protection in IP Addresses under the Third Party Doctrine

In February 2015, a jury convicted Ross Ulbricht of drug trafficking and other crimes associated with his creation and operation of Silk Road, an online marketplace whose users primarily purchased and sold illegal goods and services.  A federal judge in the U.S. District Court for the Southern District of New York then sentenced Ulbricht to … Continue Reading

Washington Becomes the Third State with a Biometric Law

By Rebecca Yergin On May 16, 2017, Governor Jay Inslee signed into law H.B. 1493—Washington’s first statute governing how individuals and non-government entities collect, use, and retain “biometric identifiers,” as defined in the statute.  The law prohibits any “person” from “enroll[ing] a biometric identifier in a database for a commercial purpose, without first providing notice, … Continue Reading

FCC Releases NPRM on Broadband ISPs and Net Neutrality Rules

The FCC has released the Notice of Proposed Rulemaking (“NPRM”) on “Restoring Internet Freedom” that was adopted by a 2-1 vote at the Commission’s open meeting on May 18.  The NPRM is substantively very similar to the draft released by Chairman Pai on April 27, and the comment deadlines remain the same: July 17 for … Continue Reading

New Republican Privacy Bill Would Expand Scope of “Sensitive” Data

Representative Marsha Blackburn (R-TN) has introduced a bill, the “Balancing the Rights of Web Surfers Equally and Responsibly Act of 2017” (“BROWSER Act,” H.R. 2520) that would  create new online privacy requirements.  The BROWSER Act would require both ISPs and edge providers (essentially any service provided over the Internet) to provide users with notice of … Continue Reading

First Annual Privacy Shield Review Will Comprehensively Assess the Framework

The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C.  The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, … Continue Reading

White House Issues New Cybersecurity EO

On May 11, 2017, President Trump signed an Executive Order titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (the “Order”).  The long-anticipated directive was issued months after the White House originally planned to release a cybersecurity order in February.  Since then, revised drafts of the order were circulated, including a version from February … Continue Reading

Parties Discuss Privacy Issues in Advance of FTC, NHTSA Workshop on Connected Cars

Automated vehicle technology is accelerating, and regulators are racing to keep up.  On June 28, 2017, the Federal Trade Commission and the National Highway Traffic Safety Administration (“NHTSA”) will hold a workshop to examine the consumer privacy and security issues posed by automated and connected vehicles.  The workshop comes several months after the Department of … Continue Reading

Ninth Circuit Will Rehear Dismissal of FTC Throttling Suit

The Ninth Circuit announced today that the full court will rehear the case in which the three-judge panel opinion had dismissed the FTC’s lawsuit against AT&T for allegedly violating Section 5 of the FTC Act due to past “throttling” practices around unlimited data plans.  According to the panel opinion, the FTC lacked jurisdiction over AT&T’s … Continue Reading

Eleventh Circuit Hands Another VPPA Loss to Video App Plaintiffs

In Perry v. Cable News Network, the Eleventh Circuit dealt another loss to putative class-action plaintiffs seeking to use the Video Privacy Protection Act (“VPPA”) as a weapon against free online video services. The court affirmed that to be a “subscriber” of a video service—someone who can sue under the VPPA—one must have a genuine … Continue Reading

FCC Chairman Pai Proposes New Regulatory Framework for Broadband ISPs, Seeks Comment on Net Neutrality Rules

In a widely anticipated step, FCC Chairman Ajit Pai has released a draft Notice of Proposed Rulemaking (“NPRM”) on the legal framework that governs broadband providers and related net neutrality questions. Most notably from a privacy perspective, the draft NPRM proposes to find that broadband Internet access service is an “information service” under the Communications … Continue Reading

Federal Trade Commission Plans to Clarify its Data Security Standard

The Federal Trade Commission (FTC) has announced that it is launching a new initiative to improve data security guidance and transparency as part of a broader plan to implement process reform initiatives.  In an interview with Politico Pro (subscription required) last week, the new acting director of the FTC’s Bureau of Consumer Protection, Thomas Pahl, … Continue Reading
LexBlog