Earlier this month, the FTC settled with two social media influencers for failing to provide adequate disclosures in their promotions of their company, and issued 21 warning letters to other influencers it felt continued to violate the FTC Endorsement Guidelines in spite of the educational letters the FTC had sent earlier this year. In addition to the new “FAQ” examples the FTC provided in its guidance materials and this blog post (which contains an instructional video), the FTC hosted a live Twitter chat to directly answer questions regarding its influencer disclosure policies. Continue Reading
Last week, in his annual State of the European Union Address, the President of the European Commission Jean-Claude Juncker called out cybersecurity as a key priority for the European Union in the year ahead. In terms of ranking priorities, President Juncker placed tackling cyber threats just one place below the EU leading the fight against climate change, and one above migration and protecting Europe’s external borders.
The full extent of the Commission’s ambition and plans in relation to cybersecurity is revealed in a detailed Communication, entitled Resilience, Deterrence and Defence: Building strong cybersecurity for the EU—a joint publication by the Commission and High Representative of the Union for Foreign Affairs and Security Policy.
We have prepared an alert that summarizes key elements of the Communication and Cyber Package that we think will be of most interest to our clients and readers of this blog. For the alert, click here.
On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”). The ICO is consulting on the Guidance until 10 October. We summarize the key aspects of the Guidance below. Continue Reading
On September 5, 2017, the Grand Chamber of the European Court of Human Rights (“ECtHR”) issued its ruling on appeal in the case of Bărbulescu v. Romania, concerning alleged unlawful workplace monitoring of Mr. Barbulescu’s private communications.
Overturning the ECtHR’s prior ruling in the case (covered by Inside Privacy here), the Grand Chamber held that Romanian courts had not adequately and fairly weighed up the competing interests of Mr Barbulescu and his employer. That defect of justice meant that Romania had failed to proactively protect Mr Barbulescu’s right to privacy, as required by its membership of the European Convention on Human Rights.
The Grand Chamber held that Mr Barbulescu’s right to privacy extended to his workplace, despite his private use of a work computer constituting a breach of his rules of employment. The Grand Chamber held that while privacy in the workplace can be restricted “as necessary,” “an employer’s instructions cannot reduce private social life in the workplace to zero,” since the right to privacy does not necessarily depend on an individual’s reasonable expectations, and can be enjoyed in public and in the workplace, notwithstanding prohibitions and warnings given to the individual. A fulsome balancing exercise was therefore required in cases such as these.
The Grand Chamber underlined that provided national courts undertake an adequate balancing exercise, they have some discretion as to the actual result (i.e. whether the employer’s or employee’s rights prevail in a given case). Similar discretion is also enjoyed by national legislators and constitutions when setting underlying rules on workplace privacy, provided such rules – and a means to enforce them – are actually in place.
Nevertheless, the ruling states that workplace monitoring must always be limited to what is necessary for a legitimate purpose, and should be accompanied by a range of safeguards, normally including prior notice to employees – particularly when the content of communications is concerned. Continue Reading
The FTC recently announced that it reached a settlement with two social media influencers, Trevor Martin and Thomas Cassell, for deceptively endorsing their owned and operated online gambling service “CSGO Lotto” without disclosing that they were the owners of the site, as well as paying other well-known social media influencers to promote the site without requiring them to disclose the payments in their posts. In addition, the FTC issued warning letters to 21 out of the 90 social media influencers it had sent educational letters to earlier this year, citing specific social media posts that they felt still failed to “clearly and unambiguously” disclose a material connection between the influencers and the brands or products they were promoting. The letters asked them to respond in writing, by September 30th, advising staff of whether they do, in fact, have a material connection with the brands/products cited in the letters and, if so, describing how they will ensure such relationship is clearly disclosed going forward. Finally, the FTC updated its guidance on its official Endorsement Guidelines with additional examples featuring common social media advertising mechanisms such as Instagram, Snapchat, and Facebook. Continue Reading
Earlier this month, the UK Government published a consultation on plans to implement the EU Directive on security of network and information systems (the “NIS Directive”, otherwise known as the Cybersecurity Directive). The consultation includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).
We summarise the UK Government’s plans below, including which organisations may be in scope — for example, in the energy, transport and other sectors, as well as online marketplaces, online search engines, and cloud computing service providers — and the proposed security and incident reporting obligations.
Organisations that are interested in responding to the consultation have until September 30, 2017 to do so. The UK Government will issue a formal response within 10 weeks of this closing date, and publish further security guidance later this year and next. A further consultation on incident reporting for digital service providers will be run later this year; the Government invites organisations that are interested in taking part to provide appropriate contact details. Continue Reading
On our sister blog, CovingtonDigitalHealth, our global cross-practice digital health team has launched a three-part series on the key questions the technology, life sciences and communications industries should be considering as they fit together the regulatory and commercial pieces of the complex digital health puzzle. Read the first post in the series here.
On August 28, 2017, the U.S. Government Accountability Office (“GAO”) publicly released a report regarding consumer privacy issues associated with the rapidly increasing number of cars that are “connected”—i.e., capable of wirelessly monitoring, collecting, and transmitting information about their internal and external environments. The report examines four key issues: (1) the types of data collected by connected cars and transmitted to selected automakers, and how such automakers use and share such data; (2) the extent to which selected automakers’ privacy policies are in line with established privacy best practices; (3) selected experts’ views on privacy issues related to connected cars; and (4) federal roles and efforts related to consumer privacy and connected cars.
The GAO turned to a variety of resources to explore the four identified issues. For starters, the GAO conducted a series of interviews with relevant industry associations, organizations that work with consumer privacy issues, and a sample of sixteen automakers (thirteen of which offered connected vehicles) based on their vehicle sales in the U.S. In addition, the GAO analyzed selected automakers’ privacy policies and compared them to privacy frameworks developed by the Organization for Economic Cooperation and Development (“OECD”) as well as the Federal Trade Commission (“FTC”), the National Highway Traffic Safety Administration (“NHTSA”), and the National Institute of Standards and Technology (“NIST”). Finally, the GAO consulted relevant sources (e.g., federal statutes, regulations, and reports) and interviewed agency officials, including those from the Department of Transportation (“DOT”), the FTC, and the Department of Commerce. Continue Reading
By Benjamin Duke, Matt Schlesinger, and Scott Levitt
[This article was also published as a Client Alert.]
Two recent federal district court decisions involving computer “spoofing” scams highlight the uncertainty about whether such incidents may be covered under standard “computer fraud” provisions in widely used crime insurance forms. The conflicting results in these cases provide a stark reminder to policyholders that seemingly minor differences in policy wordings can have a major impact on the scope of coverage – and severe financial consequences.
“Spoofing” refers to the practice of manipulating a commercial e-mail to falsify the e-mail’s true origin, without the consent or authorization of the user whose e-mail address is “spoofed.” See Karvaly v. eBay, Inc., 245 F.R.D. 71, 91 n.34 (E.D.N.Y. 2007). As recent cases reflect, scam artists have used spoofing—also known as “business email compromise,” “social engineering,” or “fake president” fraud—to induce even high-level executives of sophisticated companies to transfer millions of dollars to accounts under the scammers’ control. Faced with irretrievable losses, many companies have understandably looked first to the “computer fraud” and other provisions of their corporate crime policies for insurance coverage.
Last month, in Medidata Solutions, Inc. v. Federal Insurance Co., 2017 WL 3268529, __ F. Supp. 3d __ (S.D.N.Y. July 21, 2017), the court found coverage under the “computer fraud” provision of the insured’s crime policy for a $4.8 million loss resulting from an email spoofing scam. The scam started with a spoofed email to an accounts payable employee purportedly from Medidata’s president, directing the employee to await an attorney’s wire transfer instructions to pay for an impending acquisition. Id. at *1. That same day, the purported attorney called with instructions to process the wire transfer, and a subsequent spoofed email induced both Medidata’s vice-president and its CFO to sign off on the transfer. Id. at *2. Not until two days later did the company realize that it had been defrauded. Id. Continue Reading
Delaware Gov. John Carney has signed into law a bill that will impose more stringent obligations for notifying affected Delaware residents in the event of a data breach, in addition to establishing requirements for Delaware businesses to maintain “reasonable” data security practices. In addition to expanding the types of information that would require notification of affected individuals if breached, the amendments will also require an entity to provide credit monitoring services if the breach involves Social Security numbers. Once the bill enters into force, entities will also have to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents. The amendments will enter into force on approximately April 14, 2018. Continue Reading