Delaware Gov. John Carney has signed into law a bill that will impose more stringent obligations for notifying affected Delaware residents in the event of a data breach, in addition to establishing requirements for Delaware businesses to maintain “reasonable” data security practices. In addition to expanding the types of information that would require notification of affected individuals if breached, the amendments will also require an entity to provide credit monitoring services if the breach involves Social Security numbers. Once the bill enters into force, entities will also have to notify the Delaware Attorney General if a breach affects more than 500 Delaware residents. The amendments will enter into force on approximately April 14, 2018.
Continue Reading Delaware Amends Data Breach Notification Law to Require Credit Monitoring, Attorney General Notification
Personal Information
CFPB Issues $100,000 Fine in First-Ever Data Security Enforcement Action
On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered into a consent order with online payment systems operator Dwolla, Inc., based on allegations that Dwolla deceived consumers about its data security practices and the safety of its online payment system. The CFPB brought this action under its authority in Sections 1031(a) and 1036(a)(1)…
UK Supreme Court Will Hear Google’s Appeal in Important Privacy Case
The UK Supreme Court has granted Google the right to appeal part of the English and Welsh Court of Appeal’s notable ruling in Google Inc. v. Vidal-Hall & Ors [2015] EWCA Civ 311.
Our previous blog highlighted the facts of the case (brought by Internet users against Google’s ad-tracking practices) and the significant consequences…
English Court of Appeal Decision Significantly Expands UK Privacy Law
Dan Cooper and Phil Bradley-Schmieg
On March 27, 2015, the England and Wales Court of Appeal (EWCA) handed down a historic judgment in Google Inc v. Vidal-Hall & Ors [2015] EWCA Civ 311, with significant consequences for organizations handling personal data in, or from, the UK.
This case was brought against Google Inc. by three users of Apple’s Safari web browser. They argued that over a period of nine months, Google’s DoubleClick and AdSense services secretly tracked their visits to all websites that used Google AdSense to serve advertising, contrary to Google’s public assurances that users who maintained Safari’s default privacy settings would not be tracked or profiled by DoubleClick, or receive personalized advertising. This, they allege, allowed Google to wrongfully build up a detailed picture of their browsing history from which it could deduce their interests and personal characteristics, and thus serve personalized adverts. Similar cases have been brought against Google in the United States, leading to a US$22.5 million U.S. Federal Trade Commission fine and a US$17 million settlement with state attorneys general.
Continue Reading English Court of Appeal Decision Significantly Expands UK Privacy Law
European Consumer Legislation and Online Privacy Policies: Opening Pandora’s Box?
Regulators and courts in the EU are increasingly vigilant in relation to privacy practices and policies of large online companies. In recent years and months, the pressure increases not only through privacy-specific regulations and enforcement, but also through the application of consumer legislation. As the below examples from France and Germany show, some courts or regulators assess privacy practices and policies against the rules on unfair or abusive trade practices — in some countries, the legislator is even proposing new laws to that end. This is a worrying trend, as it could trigger the application of an additional set of rules to privacy policies, and implies that EU consumer protection authorities may acquire competence in relation to online privacy policies, in addition to the EU data protection regulators.
Continue Reading European Consumer Legislation and Online Privacy Policies: Opening Pandora’s Box?
Data Breach Notification Bills Introduced in House and Senate
By Caleb Skeath
Last week, Reps. Joe Barton (R-TX) and Bobby Rush (D-IL) re-introduced the Data Accountability and Trust Act (DATA Act) in the House of Representatives. The bill (H.R. 580), which has been introduced several times in previous years, would provide a nationwide data security standard, backed by FTC enforcement and civil penalties, as well as provisions requiring notification to affected individuals in the event of a data breach. Meanwhile, Sens. Dianne Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR), and Bill Nelson (D-FL) introduced a similar bill, the Data Security and Breach Notification Act (S. 177) this week the Senate. The Senate bill is also a re-introduction of a previous bill, which would provide FTC-enforced security standards and individual breach notifications.
Although the text of the DATA Act has not yet been released, a release from the bill’s sponsors stated that the bill will be “substantially similar” to prior versions. According to the release, the bill will define “personal information” to include an individual’s name in connection with (1) a Social Security number, (2) a driver’s license, passport, or other government-issued identification number, or (3) a financial account or credit or debit card number in combination with a security code or password that would permit access to an individual’s financial account. Commercial entities that own or process personal information would be required to implement effective information security procedures and policies to safeguard that information. Following a breach, entities would have to notify the affected individuals, in addition to the FTC. The FTC and state attorney generals would enforce the provisions of the bill, which would allow for civil penalties of up to $5 million for violations. The bill’s sponsors have announced a public briefing on the bill on February 6, during which they will provide more information about the bill’s provisions.
Continue Reading Data Breach Notification Bills Introduced in House and Senate
House Debates Federal Data Breach Legislation
This morning, the House Subcommittee on Commerce, Manufacturing, and Trade, chaired by Rep. Michael Burgess (R-TX), held a hearing to determine what elements should be included in federal data breach legislation. Despite the momentum for legislation created by high-profile breaches at retailers like Target and Home Depot, and most recently at Sony, ongoing efforts in both the House and Senate to replace with a national standard the 47 currently existing state data breach laws so far have been unsuccessful. This activity in the House is yet another attempt to enact a federal law governing data security, and today’s hearing made clear that many practical questions still remain for lawmakers to “get it right” on a data breach bill, as Rep. Fred Upton (R-MI) said.
Continue Reading House Debates Federal Data Breach Legislation
New Jersey Legislature Considers Additional Protections for Car “Black Box” Data
By Caleb Skeath
You’ve added a passcode to your phone, checked your social network privacy settings (twice), and kept close tabs on the cookies in your web browser. But have you ever thought closely about the information your car collects about you?
New Jersey legislators are debating two identical bills that would provide additional safeguards against the disclosure of data contained in a car’s “black box,” which track a vehicle’s technical status and operational performance. These devices, often referred to as event data recorders or EDRs, are present on 90% of all cars and light trucks in the U.S. and may soon become mandatory on all new vehicles. In addition to assisting mechanics with car repairs, EDRs can assist law enforcement and insurance companies in crash investigations.Continue Reading New Jersey Legislature Considers Additional Protections for Car “Black Box” Data
Microsoft and Other Leading K-12 School-Service Providers Pledge To Protect Student-Data Privacy
Yesterday, several big tech companies that offer educational and school services signed the “Student Privacy Pledge,” introduced by the Future of Privacy Forum (“FPF”) and The Software & Information Industry Association (“SIIA”) to safeguard student privacy as it relates to the collection, maintenance, and use of students’ personal information. Among the fourteen education tech companies representing the initial group to join SIIA and FPF in introducing the Pledge are Microsoft, Amplify, and Houghton Mifflin Harcourt. Notably, tech giants Google and Apple were absent from the list of signatories. As part of the Pledge, effective January 1, 2015, participating companies agree to the following commitments:
- Not to collect, maintain, use or share student personal information beyond that needed for authorized educational/school purposes, or as authorized by the parent/student
- Not sell student personal information
- Not to use or disclose student information collected through an educational/school service (whether personal information or otherwise) for behavioral targeting of ads to students
- Not to build a personal profile of a student other than for supporting authorized educational/school purposes or as authorized by the parent/student
- Not to make material changes to school service provider consumer privacy policies without first providing prominent notice to the account holder(s) (i.e., the educational institution, or the parent/student when the information is collected directly from the student with student/parent consent) and allowing them choices before data is used in any manner inconsistent with terms they were initially provided; and not to make material changes to other policies or practices governing the use of student personal information that are inconsistent with contractual requirements
- Not knowingly retain student personal information beyond the time period required to support the authorized educational/school purposes, or as authorized by the parent/student
- Collect, use, share, and retain student personal information only for purposes for which companies are authorized by the educational institution, teacher, or the parent/student
- Disclose clearly in contracts or privacy policies, including in a manner easy for parents to understand, what types of student personal information is collected and the purposes for which the information maintained is used or shared with third parties
- Support access to and correction of students’ personally identifiable information by the student or their authorized parent, either by assisting the educational institution in meeting its requirements, or directly, when the information is collected from the student with student/parent consent
- Maintain a comprehensive security program reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information
- Require that vendors with whom students’ personal information is shared in order to deliver the educational service are obligated to implement these same commitments
- Allow a successor entity to maintain the students’ personal information, in the case of a merger or acquisition, provided the successor is subject to these same commitments for previously collected student personal information
California Amends Data Breach Legislation
Continuing our coverage of the flurry of bills signed into law by California Governor Jerry Brown last week, we turn now to AB 1710, an amendment to California’s data breach legislation. The data breach amendment makes three notable changes to existing laws regarding personal information privacy:
1. Requires Companies that Maintain Personal Information to Implement and Maintain Reasonable Security Procedures and Practices.
California’s existing data breach law requires companies that own or license personal information to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . . .” Under existing law, the terms “own” and “license” include personal information retained as a part of a business’s internal customer accounts or for the purpose of using the information in transactions.
AB 1710 extends this requirement to companies that merely “maintain” personal information about Californians. The bill defines maintain information in the negative, as information that a business does not own or license.
For purposes of implementing and maintaining reasonable security procedures and practices, California defines “personal information” as an individual’s first name (or first initial) and her last name in combination with her social security number, driver’s license or California ID number, any medical information, or a financial account number (such as a credit or debit card number) and the associated access code. Cal. Civ. Code § 1798.81.5(d)(1).
Continue Reading California Amends Data Breach Legislation