Last Friday, the Federal Communications Commission (“FCC”) rejected a petition from consumer advocates asking the FCC to extend its Open Internet Order by requiring edge providers such as Facebook and Amazon to follow the privacy regulations of Section 222 and to require those edge providers to honor “Do Not Track” requests from consumers.  The FCC

By David Fagan and Sumon Dantiki

Recently several media outlets reported that the New York State Department of Financial Services (“NYDFS”) sent a letter to many of the nation’s banks, regarding the “level of insight financial institutions have into the sufficiency of cybersecurity controls of their third-party service providers.”  The letter requested financial institutions to disclose “any policies and procedures governing relationships with third-party services providers,” and “any due diligence processes used to evaluate” such providers, including law and accounting firms.


Continue Reading Cybersecurity Regulators (Renew) Focus on Outside Vendors of Financial Institutions

In light of growing concerns over cybersecurity and evolving technology and operational practices, Ofcom (the independent regulator and competition authority for the UK communications industries) is seeking views on whether its existing guidance on network security should be revised.  Interested parties have until 21 February 2014 to respond.   Depending on the responses received, Ofcom intends

Continuing a flurry of recent legislative activity (see posts here and here), the California legislature on Tuesday passed a bill requiring that California law enforcement agencies obtain a search warrant to compel the production of communications content (e.g., emails and social media messages) from providers of electronic communication services.  A service provider may provide stored content to law enforcement without a search warrant if the service provider, in good faith, believes that an emergency involving the danger of death or serious physical injury to a person require disclosure without delay.  The bill—S.B. 467—was introduced by Senator Mark Leno and is sponsored by the Electronic Frontier Foundation and supported by the ACLU of California.  It will be enacted into law and become effective on January 1, 2014 if signed by Governor Jerry Brown or if Governor Brown has not vetoed the bill before October 13, 2013. 

Currently, the Stored Communications Act (“SCA”) (part of the federal Electronic Communications Privacy Act (“ECPA”)) requires law enforcement to obtain a search warrant for stored communications held by a service provider for less than 180 days or that have not been opened by the recipient, but only requires less rigorous forms of legal process—for example, a subpoena—for opened, stored communications held for more than 180 days.  (This distinction arose because in 1986 when the SCA was enacted, email typically was hosted on service providers’ servers temporarily and then downloaded by users after a short period of time).


Continue Reading CA Passes Legislation Requiring Search Warrant For Disclosure of Stored Content

Last week, Judge Ungaro of the Southern District of Florida granted in part and denied in part a motion to dismiss in Burrows v. Purchasing Power, LLC.  The court found that the plaintiff had asserted a plausible claim under the Florida Deceptive and Unfair Trade Practices Act (FDUTPA), granted the plaintiff leave to amend his claims for negligence and common-law invasion of privacy, and dismissed without leave to amend his claims under the Stored Communications Act (SCA) and Florida Constitution.

According to the Amended Complaint, defendant Winn-Dixie Stores, Inc. transferred employees’ personally identifiable information (PII) to a third-party service provider named Purchasing Power, which allows employees to purchase goods via automatic payroll deductions.  The Amended Complaint alleges that a Purchasing Power employee inappropriately accessed the Winn-Dixie employees’ PII, and that Winn-Dixie learned about the data breach in October 2011 but failed to notify employees until January 2012.  Plaintiff Patrick Burrows, who was a Winn-Dixie employee, claimed that an unknown person used his compromised PII to file a false tax return under his name, leaving him unable to collect his tax refund.


Continue Reading Florida Data Security Claims Survive Motion to Dismiss

As of March 1, 2012, all companies storing the personal information of Massachusetts residents with a third-party service provider must contractually require the service provider to maintain data security measures “consistent” with the Massachusetts data security regulations.  (You can read our overview of these regulations here.)

Among other things, those regulations—most of which took