By Ani Gevorkian

On Monday, the Consumer Financial Protection Bureau (CFPB) finalized a rule that promotes more effective privacy disclosures and saves the financial services industry around $17 million dollars.  The new rule permits financial institutions that restrict data-sharing to post their annual privacy notices online rather than delivering them to customers individually.  The rule will be effective as soon as it is published in the Federal Register. 

Under the Gramm-Leach-Bliley Act (GBLA), a financial institution generally must send annual privacy notices to customers that describe whether and how the financial institution shares their nonpublic personal information.  An institution that shares this information with unaffiliated third parties generally must notify customers of their right to opt out of the sharing and provide instructions on how to do so.

Under the new rule, a financial institution may meet GBLA requirements by posting privacy notices online instead of distributing an annual paper copy, as long as the institution adheres to certain requirements.  For instance, the institution may not share data in ways that trigger customers’ opt-out rights.  They must also continue to send notices through existing delivery methods if the policies’ terms change or if a customer with limited internet access requests by phone to receive a notice.
Continue Reading CFPB Finalizes Rule to Allow Online Privacy Disclosures from Financial Institutions

On October 20, 2014, a bipartisan group of senators sent a letter to U.S. Senate Committee on Commerce, Science, & Transportation Chairman John D. Rockefeller IV (D-W.Va.) and Ranking Member John Thune (R-S.D.), requesting that the Committee schedule a “general oversight and information-gathering hearing” on digitally connected technologies before the end of 2014.

The letter, penned by Sens. Kelly Ayotte (R-N.H.), Cory A. Booker (D-N.J.), Deb Fischer (R-Neb.), and Brian Schatz (D-Hi), stated that the connected devices industry is expected to generate global revenues of $8.9 trillion by 2020, and that its importance would soon be felt by millions of Americans with the “proliferation of connected products” and “the upcoming holiday season.” The industry, however, raises a number of important policy questions in the areas of “consumer protection, security, privacy, technical standards, spectrum capacity, manufacturing, regulatory certainty, and public-sector applications,” the letter said.
Continue Reading Senators Request Hearing on Connected Devices

On October 15, 2014, the UK Information Commissioner’s Office (ICO) published an updated code of practice for surveillance cameras.  Among other topics, the ICO uses the Code to begin to address privacy practices for drones. 

Drones are not new, but two factors are now making questions about drones and privacy practices more pressing.  First, many drones now include high quality cameras, sourced originally from smart phone technologies, which increases their potential impact on individual privacy.  Second, the price of drones has fallen dramatically in recent years — making them increasingly ubiquitous and available for both businesses and consumers.  Policymakers in the United Kingdom and in the European Union are currently gathering information and conducting impact assessments to determine whether new legislative rules are needed to deal with the privacy challenges posed by drones, or whether existing data protection rules are sufficient. 

The ICO guidance note makes clear that standard data protection rules (and rules governing the use of CCTV cameras) will, in the meantime, apply to the use of drones.  It explains that — as with organizations and individuals handling data more generally — drone users should be separated out into professional and commercial users, on the one hand, and hobbyists, on the other.  Hobbyists, using drones for purely domestic purposes, are unlikely to be covered by data protection rules — but use of drones for non-domestic purposes will be governed by data protection requirements.
Continue Reading ICO Releases Concrete Guidance on Privacy Requirements When Recording Video with Drones

By Ashden Fein and Randall Friedland

On Friday, President Obama signed an Executive Order directed at securing consumer transactions and sensitive data, improving consumer identify theft remediation, and better securing personal information on federally run websites.  Among the security measures, the President ordered all federal government-issued credit cards be equipped, as soon as possible, with chip-and-PIN technology.  The chip-and-PIN technology, commonly used in Europe, makes stealing credit card numbers more difficult.  Chips are embedded in the credit cards and generate a unique code for every transaction requiring a user PIN (similar to a debit card)—adding another layer of security.  Further, the Executive Order requires all retail payment card terminals at federal agencies to be able to accept the chip-and-PIN technology by January 1, 2015.Continue Reading President Obama Signs Executive Order Aimed at Protecting the Security of Consumer Financial Transactions

On October 2, 2014, the Food and Drug Administration (FDA) released a final guidance document titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”.  The FDA said that the “need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, and the frequent electronic exchange of medical device-related health information.”  The FDA defines cybersecurity as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.”  The cybersecurity of medical devices gained media attention last year when former Vice President Dick Cheney revealed that his doctor had the wireless function of Cheney’s implanted defibrillator replaced due to fears that a terrorist could hack the device and assassinate the Vice President. 

The guidance document identifies cybersecurity issues that manufacturers should consider when designing and developing their medical devices and information they should include when preparing their FDA medical device premarket submissions.Continue Reading FDA Releases Final Guidance on Cybersecurity in Medical Devices, Public Workshop to Follow on October 21-22, 2014

At the International Conference of Data Protection and Privacy Commissioners in Mauritius this week, representatives of the private sector and academia joined together to discuss the positive changes and attendant risks that the internet of things and big data may bring to daily life. Attendees memorialized the observations and conclusions of their discussions in a Declaration on the Internet of Things and a Resolution on Big Data. The documents are not, of course, binding. But, the fact that the Declaration and Resolution drew the consensus of a large gathering of international data protection regulators renders them relevant indicators of direction of data privacy policies and trends.
Continue Reading Data Protection Officials Adopt Internet of Things Declaration and Big Data Resolution

By Caleb Skeath

You’ve added a passcode to your phone, checked your social network privacy settings (twice), and kept close tabs on the cookies in your web browser. But have you ever thought closely about the information your car collects about you?

New Jersey legislators are debating two identical bills that would provide additional safeguards against the disclosure of data contained in a car’s “black box,” which track a vehicle’s technical status and operational performance. These devices, often referred to as event data recorders or EDRs, are present on 90% of all cars and light trucks in the U.S. and may soon become mandatory on all new vehicles. In addition to assisting mechanics with car repairs, EDRs can assist law enforcement and insurance companies in crash investigations.Continue Reading New Jersey Legislature Considers Additional Protections for Car “Black Box” Data

Yesterday, several big tech companies that offer educational and school services signed the “Student Privacy Pledge,” introduced by the Future of Privacy Forum (“FPF”) and The Software & Information Industry Association (“SIIA”) to safeguard student privacy as it relates to the collection, maintenance, and use of students’ personal information.  Among the fourteen education tech companies representing the initial group to join SIIA and FPF in introducing the Pledge are Microsoft, Amplify, and Houghton Mifflin Harcourt.  Notably, tech giants Google and Apple were absent from the list of signatories.  As part of the Pledge, effective January 1, 2015, participating companies agree to the following commitments:

  • Not to collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student
  • Not sell student personal information
  • Not to use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of ads to students
  • Not to build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student
  • Not to make material changes to school service provider consumer privacy policies without first providing prominent notice to the account holder(s) (i.e., the educational institution, or the parent/student when the information is collected directly from the student with student/parent consent) and allowing them choices before data is used in any manner inconsistent with terms they were initially provided; and not to make material changes to other policies or practices governing the use of student personal information that are inconsistent with contractual requirements
  • Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student
  • Collect, use, share, and retain student personal information only for purposes for which companies are authorized by the educational institution, teacher, or the parent/student
  • Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student personal information is collected and the purposes for which the information maintained is used or shared with third parties
  • Support access to and correction of students’ personally identifiable information by the student or their authorized parent, either by assisting the educational institution in meeting its requirements, or directly, when the information is collected from the student with student/parent consent
  • Maintain a comprehensive security program reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information
  • Require that vendors with whom students’ personal information is shared in order to deliver the educational service are obligated to implement these same commitments
  • Allow a successor entity to maintain the students’ personal information, in the case of a merger or acquisition, provided the successor is subject to these same commitments for previously collected student personal information

Continue Reading Microsoft and Other Leading K-12 School-Service Providers Pledge To Protect Student-Data Privacy

By David Fagan and Sumon Dantiki

Last week the Antitrust Division of the Department of Justice (“DOJ”) issued a business review letter in response to a request by CyberPoint International LLC (“CyberPoint”).   At issue in the request was whether a proposed cyber threat information sharing system among possible competitors (“the TruSTAR platform”) raised antitrust concerns.  Following a review, DOJ announced in the letter that it had no intention of challenging the TruSTAR  platform under antitrust laws.

The TruSTAR letter is significant for multiple reasons.  First, the letter generally reaffirms the joint “Antitrust Policy Statement on Sharing of Cybersecurity Information,” set forth by the DOJ and Federal Trade Commission (FTC) earlier this year on April 10.  In fact, in a press release accompanying the TruSTAR letter, the DOJ cited to the Policy Statement to emphasize that the “antitrust laws are not an impediment to legitimate private-sector initiatives to share specific information about cyber incidents and mitigation techniques.”Continue Reading Department of Justice Clears Cybersecurity Information Sharing Platform