On April 24, 2018, Senators Amy Klobuchar (D-MN) and John Kennedy (R-LA) introduced the Social Media Privacy and Consumer Rights Act of 2018.  The bill aims to protect consumers’ online data by increasing the transparency of data collection and tracking practices, and requiring companies to notify consumers of a privacy violation within 72 hours.

“Our bill gives consumers more control over their private data, requires user agreements to be written in plain English and requires companies to notify users of privacy violations,” Senator Kennedy explained. “These are just simple steps that online platforms should have implemented in the first place.”

Other features of the legislation include providing consumers a right of access to see what information about them has been collected and used, allowing consumers to opt out of data collection and tracking, and requiring online platforms to have a privacy program in place.  Senator Klobuchar explained that “[c]onsumers should have the right to control their personal data and that means allowing them to opt out of having their data collected and tracked and alerting them within 72 hours when a privacy violation occurs and their personal information may be compromised.” 
Continue Reading Senators Klobuchar and Kennedy Introduce Privacy Legislation

A new post over on Covington’s eHealth blog discusses a recent enforcement action taken by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) against Catholic Health Care Services, a business associate under HIPAA, arising out of a stolen iPhone.  This recent enforcement action should put business associates

On the heels of a number of well-publicized data security breaches, a White House data breach proposal, and California’s recent changes to its data breach notification statute, New York Attorney General Eric Schneiderman has announced that he will propose legislation to strengthen New York’s data breach notification law.   The legislation had not been made public as of the date of publication, but the Attorney General has stated publicly that he anticipates it will include the following elements:

  • Private InformationDefinition.  The legislation would expand the definition of “private information” that, if breached, requires notice to New York residents.  According to the Attorney General, “private information” should be defined to “include both the combination of an email address and password and an email address in combination with a security question and answer,” as well as “medical information, including biometric information, and health insurance information.”  It is worth noting that the White House proposal unveiled earlier this week also would cover these data elements, and there are some existing state laws that already cover these data elements.  For example, California’s recent amendments to its data breach statute require notice of certain breaches involving “[a] user name or email address, in combination with a password or security question that would permit access to an online account.”  In addition, several states, including California and Texas, have breach notification statutes that cover certain types of medical information.
  • “Reasonable” Data Security Requirement.  Consistent with the approach that a number of other states (including, most recently, California) have taken, the legislation would impose an affirmative obligation on companies to reasonably safeguard “private information,” including through appropriate administrative, technical, and physical safeguards.  Massachusetts and Nevada are among the states that have imposed more prescriptive data security obligations.
  • Safe Harbor.  Schneiderman’s press release provides that “New York should offer a safe harbor if a company adopts a heightened form of security. . . . Once [an entity implements a data security plan that meets the standard], an entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.”   It is not clear based on the Attorney General’s press release, but we presume that this safe harbor would pertain to the obligation to maintain reasonable data security safeguards and not from other obligations.  In addition, Schneiderman’s proposal would legislate that entities that obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security.
    Continue Reading New York Attorney General Unveils Data Breach Proposal

Last week, the Article 29 Data Protection Working Party published a non-binding Opinion on data breach notifications, titled Opinion 03/2014 on Personal Data Breach Notification (the Opinion).  The Opinion provides helpful new guidance to companies seeking to understand whether or not notifications about a breach must be made to European privacy regulators and/or affected individuals in the wake of a data breach.  Although the Opinion’s guidance is non-binding, and is not based on clear legal requirements, it is nevertheless likely to shape enforcement practices both inside and outside the EU, given the standing and influence of the Article 29 Working Party.

This post discusses key aspects of the Opinion.Continue Reading EU Article 29 Working Party Publishes Guidance on Data Breach Notification

On Monday, February 12, a Southern District of Ohio district court dismissed two proposed class actions relating to an October 2012 Nationwide Mutual Insurance Co. data breach. Galaria v. Nationwide Mutual Ins. Co., No. 2:13-cv-118 (S.D. Ohio Feb. 10, 2014); Hancox v. Nationwide Mutual Ins. Co., No. 2:13-cv-257 (S.D. Ohio Feb. 10, 2014). The court held that neither case could proceed because the Plaintiffs had not sufficiently alleged an injury that would give them standing to sue in federal court under Article III of the U.S. Constitution. In their complaint, Plaintiffs alleged several putative injuries, including increased risk of identity theft and fraud arising from the breach, costs associated with mitigating that increased risk, “loss of privacy,” and deprivation of the value of their personal information. The court rejected each theory, in turn. The opinion is the latest in a series of opinions holding that plaintiffs seeking to recover in data breach case must allege more than the mere possibility of future harm.Continue Reading Federal Court Dismisses Data Breach Suit Alleging Only Speculative Harms

By Fredericka Argent

This month, following an inquiry by the Australian Law Reform Commission (“ALRC”) into the effectiveness of the Australian Privacy Act 1988, the Australian government launched a discussion paper which calls for views from the public on whether a mandatory data breach notification scheme should be introduced in Australia. This scheme refers to a legally-binding obligation to provide notice to the relevant authority and any affected persons where the party in charge of protecting personal information unlawfully or accidentally breaches their security obligations — for example by destruction, loss or unauthorised disclosure of information. The paper recognises the importance of a data breach reporting requirement in light of the increasing amount of personal data held by public and private organizations in Australia, often in electronic form, which are vulnerable to theft and loss.

The paper analyses the pros and cons of introducing a mandatory data breach notification scheme, weighing up arguments such as the onerous costs of compliance and the effectiveness of the current voluntary guidelines issued by the Office of the Australian Information Commissioner (“OAIC”) against the positive effects of a legally-binding scheme, such as:

• Allowing the affected person to mitigate the consequences of the breach;

• Providing an incentive for organizations holding personal information to adequately secure information;

• Enabling data breach incidents to be tracked and information on breaches to be provided in the public interest; and

• Maintaining public confidence in the legislative privacy regime.Continue Reading Australian Government Launches Discussion Paper on Privacy Breach Notification

Earlier this week, Wyndham Hotels & Resorts LLC moved to dismiss the complaint filed against it by the Federal Trade Commission in connection with Wyndham’s data security practices, asserting that the FTC has neither the authority nor the expertise to regulate them.

As we previously noted, the FTC filed a complaint against Wyndham in June — the first data security enforcement action to be litigated instead of being resolved by settlement.  Wyndham has now moved to dismiss the complaint, calling the FTC’s case “a classic example of agency overreaching.”

As we previously noted, the FTC filed a complaint against Wyndham in June — the first data security enforcement action to be litigated instead of being resolved by settlement.  Earlier this week, Wyndham has now moved to dismiss the complaint, calling the FTC’s case “a classic example of agency overreaching.”  

Continue Reading Wyndham: FTC Lacks Authority to Regulate Data Security

By Ryan Mowery

Last week, the FTC filed suit in federal court against global hospitality firm Wyndham Worldwide Corporation in connection with a series of data breaches affecting Wyndham and its subsidiaries between 2008 and 2010.  The complaint alleges that Wyndham misrepresented the security measures it employed to protect consumers’ personal information and that consumers were harmed by Wyndham’s failures to provide reasonable security for that information.  The FTC asserts that the alleged misrepresentations amounted to “deception” in violation of Section 5 of the FTC Act, while the failure to employ reasonable security measures violated the FTC Act’s prohibition against “unfair” acts. Continue Reading The FTC’s Lawsuit Against Wyndham

Yesterday, Village View, Inc. reached a settlement with Professional Business Bank, a California state-chartered bank subject to regulation by the Federal Deposit Insurance Corporation (FDIC), over the company’s lawsuit against the bank arising from a data security breach.  In March 2010, Village View lost nearly $400,000 after the company’s bank account was compromised by hackers.