United States

For the fifth consecutive session of Congress, Sen. Dianne Feinstein (D-CA) has introduced legislation that would establish a federal data breach notification standard.  Sen. Feinstein’s legislation — the Data Breach Notification Act of 2011 (S. 1408) — is one of a number of breach notice proposals circulating on Capitol Hill that would preempt state breach notice laws and replace them with a federal standard.  In the Senate alone, Sens. Jay Rockefeller (D-WV) and Mark Pryor (D-AR) have introduced the Data Security and Breach Notification Act of 2011 (S. 1207), and Sen. Patrick Leahy has introduced the Personal Data Privacy and Security Act of 2011 (S. 1151). 

We have heard from several sources that Sen. Rockefeller, Chairman of the Senate Committee on Commerce, Science & Transportation, is planning to markup S. 1207 in the near future.  And last week, the House Subcommittee on Commerce, Manufacturing, and Trade marked up and voted to report the SAFE Data Act (H.R. 2577) (introduced by Rep. Mary Bono Mack (R-CA)) to the full House Energy & Commerce Committee. 

Unlike many of the breach bills that are circulating, Senator Feinstein’s bill is limited to breach notification obligations and does not include information security requirements.  Generally, S. 1408 is much more similar to the breach notice provisions of S. 1151 (Leahy) than S. 1207 (Rockfeller/Pryor) or H.R. 2577 (Bono Mack).Continue Reading Feinstein Introduces Breach Notice Bill; Senate Committee May Consider Breach Notice Proposals Shortly

The Commodity Futures Trading Commission (“CFTC”) recently approved a final rule broadening the scope of the CFTC’s financial privacy regulations under the Gramm-Leach-Bliley Act (“GLBA”) to include “swap dealers” and “major swap participants,” two types of entities created by and subject to regulation under Dodd-Frank.  GLBA requires financial institutions to, among other requirements, establish safeguards to ensure the security and confidentiality of consumer records and to comply with certain requirements governing the disclosure of consumers’ personal information.  Swap dealers and major swap participants are expected to collect and use nonpublic personal information in a similar manner as financial institutions currently subject to GLBA’s financial privacy requirements.  The CFTC’s rule simply extends the financial privacy requirements to swap dealers and major swap participants.

The final rule becomes effective 60 days after the CFTC finalizes its regulations further defining the terms “swap dealer” and “major swap participant.”  On December 21, 2010, the CFTC issued proposed regulations with respect to these definitions.  The proposed definitions of these terms under the Dodd-Frank statute appear after the jump.Continue Reading CFTC Issues Final Rule Extending Financial Privacy Requirements to Swap Dealers and Major Swap Participants

Jon Leibowitz, chairman of the Federal Trade Commission, and Cameron Kerry, general counsel of the Department of Commerce, spoke today about the need for industry codes of conduct to address emerging privacy issues.  They were the featured speakers at an event held by the Brookings Institution on strategies to protect consumer privacy while ensuring continued innovation on the Internet.

As we previously discussed, the Commerce Department has called for baseline consumer privacy protections that would serve as the basis for codes of conduct that specify how the baseline principles apply in particular contexts.  At today’s event, Kerry provided more detail about the Department’s proposal.Continue Reading FTC, Commerce Department Reiterate Support for Industry Codes of Conduct

Today, the Consumer Financial Protection Bureau (“CFPB”) assumed certain powers and authorities set forth in Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act.  The CFPB is tasked with implementing and enforcing Federal consumer financial laws to ensure that consumers have access to markets for consumer financial

Continue Reading CFPB Opens for Business

By David Fagan and Libbie Canter

Yesterday, the House Subcommittee on Commerce, Manufacturing, and Trade voted to report the Secure and Fortify Electronic Data Act (H.R. 2577) — the SAFE Data Act — to the full House Energy & Commerce Committee, moving the legislation one step closer to passage. The legislation creates a national breach notification standard that would preempt the 46 state laws (plus District of Columbia and Puerto Rico laws) that presently require entities to notify consumers of breaches of their personal information.

The legislation was introduced formally on July 19 by Rep. Mary Bono Mack (R-CA) and was approved by the Subcommittee by a voice vote that appeared to track party lines. Rep. Bono Mack had circulated a discussion draft of the SAFE Data Act last month that we discussed here.

Prior to voting the bill out of the Subcommittee, members considered several amendments to the legislation, focusing in particular on issues relating to the rulemaking authority of the Federal Trade Commission and the scope of the definition of personal information. The Subcommittee took the following actions on proposed amendments:

  • It approved an amendment offered by Rep. Bobby Rush (D-IL) that is intended to clarify that the Act’s information security obligations apply to paper records in addition to electronic records. 
  • It approved an amendment offered by Reps. Marsha Blackburn (R-TN) and Pete Olson (R-TX) that appears designed to make it more difficult for the Federal Trade Commission to expand the definition of personal information. Prior to the amendment, the bill expressly authorized the FTC to modify the definition of personal information through an Administrative Procedures Act rulemaking process.

Continue Reading House Subcommittee Approves Bono Mack Breach Notification Legislation

On July 13, 2011, Connecticut adopted a law prohibiting certain employers from using employees’ or prospective employees’ credit report information in making employment or hiring decisions.  Hawaii, Illinois, Oregon, Washington, and Maryland also have statutes that prohibit employers’ use of credit report information for employment purposes.  Other states currently considering

Continue Reading Connecticut Latest State to Prohibit Employers from Using Credit Reports in Employment Decisions

The Federal Financial Institutions Examination Council (FFIEC) released the long-awaited supplement to its authentication guidance, Authentication in an Internet Banking Environment.  The supplement represents the most current and authoritative guidance regarding data security in connection with online banking platforms. 

Here are a few highlights of the supplement:

  • Financial institutions


Continue Reading FFIEC Releases Supplement to Authentication Guidance

This week, Stanford Security Lab reported preliminary results from a platform it has been developing, a chief application of which is to detect various forms of third-party tracking in an automated manner.  According to researcher Jonathan Mayer’s release, which emphasizes that these are “preliminary findings from experimental software,” Stanford’s system has detected that over half of the companies tested that belong to the self-regulatory Network Advertising Initiative (“NAI”) group leave tracking cookies on users’ computers even after a user opts out of online behavioral targeting.  Importantly, though, NAI member companies are required by the NAI guidelines only to allow and abide by requests to opt out of behavioral ad targeting, and the guidelines do not contain commitments with respect to tracking.   This distinction between targeting and tracking has been the subject of increasing attention, including from the Federal Trade Commission.    

The preliminary study results also reportedly show that at least eight NAI members—including prominent networks such as 24/7 Real Media and Audience Science—commit in their privacy policies to stop tracking users following an opt-out request, but nonetheless leave tracking cookies in place.  Although the media and, increasingly, plaintiffs’ counsel can be quick to latch onto these types of reports, it will be critical to closely examine each company’s privacy policy language in the context of the company’s actual practices.Continue Reading Preliminary Results Reported From Stanford “Tracking the Trackers” Study

Yesterday, two Subcommittees of the House Energy and Commerce Committee (Commerce, Manufacturing and Trade and Communications and Technology) held a joint hearing entitled “Internet Privacy:  The Views of the FTC, the FCC, and NTIA” that featured testimony from FCC Chairman Julius Genachowski, FTC Commissioner Edith Ramirez, and NTIA Assistant Secretary Lawrence Strickling.  Topics discussed included the need for privacy and data security legislation, the development of baseline governing principles, and current efforts by each agency to engage stakeholders on these issues.

Legislators from both Subcommittees recognized the economic and social value of the Internet throughout the hearing and emphasized that nearly every aspect of our daily lives now has an online component.  Despite its “incalculable value,” the Chairwoman of the Subcommittee on Commerce, Manufacturing and Trade, Rep. Mary Bono Mack (R-Cal.), characterized the Internet as a “work in progress” and expressed concerns shared by many Members of the two Subcommittees over the collection, use, sharing and protection of online data and the need to improve consumer education.  The witnesses generally shared these concerns, and although their testimony did not reflect a shift in policy at the FTC, FCC, or NTIA, the dialogue between the legislators and regulators did shed light on the current state of thinking about privacy regulation at the federal level.Continue Reading Two House Energy & Commerce Subcommittees Hold Hearing on Internet Privacy

The Northern District of California issued two key rulings last week in denying in part a motion to dismiss in In re Google Inc. Street View Electronic Communications Litigation, a consolidated action arising out of Google’s acknowledged interception of “payload data,” including emails, usernames, password, and other private data, from unencrypted home wireless networks using technology installed on Google’s Street View vehicles.    

First, in a matter of first impression Judge Ware rejected Google’s argument that its interception of Wi-Fi communications content was not restricted by the Wiretap Act (Title 1 of the Electronic Communications Privacy Act or ECPA), due to a “readily accessible to the general public” exception contained in the statute.  Instead, the court held that this exception applies only to communications using traditional radio broadcast technology.  Significantly, Judge Ware distinguished Wi-Fi technology from traditional radio services, which presumptively are intended to be public, instead likening Wi-Fi to cellular technology, in that both are designed to send communications privately.  The court also held that plaintiffs’ Wiretap Act claim was plausibly pleaded, meaning that the litigation will continue beyond Google’s motion to dismiss. Continue Reading Key Holdings in Google Street View Litigation: WiFi Not “Readily Accessible to the General Public” and ECPA Preempts State Wiretap Laws