By Meena Harris and Caleb Skeath

  1. Data Breaches
  • Studies show increase.  Amidst a flurry of high-profile breaches during 2014, several studies confirmed that data breaches as a whole have risen significantly over the past few years.  The California Attorney General released a study showing a 28% increase in breaches in 2013 as compared to 2012.  Another study, which examined the volume of data breaches during the first quarter of 2014, found an increase of 233% compared to the same time period in 2013.
  • State laws.  In April, Kentucky became the 47th state to enact a data breach notification law.  Florida and Iowa each amended their data breach notification laws in 2014 to, among other changes, enhance regulator notification requirements.  California amended its data breach notice law to expand the types of information covered and to require certain companies to provide one year of free credit monitoring to affected individuals (although the statutory language on the latter point is subject to multiple interpretations).
  • Federal legislation.  Numerous data breach bills, including the Data Security Breach Notification Act of 2014 and the Personal Data Protection and Breach Accountability Act, were introduced in Congress, although none passed during 2014.  The Senate Judiciary Committee, the Senate Commerce Committee, and the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade, among others, held hearings during 2014 to discuss the need to address data breaches and the possibility of enacting federal legislation.
  • Federal enforcement.  In the enforcement arena, the Federal Trade Commission (“FTC”), the Department of Health and Human Services (“HHS”), and state attorneys general pursued enforcement action during 2014 against companies that had suffered data breaches.  The Securities and Exchange Commission also announced in April that it would conduct over 50 cybersecurity examinations of publicly traded companies.  The Federal Communications Commission (“FCC”), for its part, levied a $10 million fine in October against two telecommunications carriers for exposing customer data, which represented the FCC’s first enforcement action in the wake of a data breach.
  • Continued attention in 2015.  Legislative interest in data breach issues has only increased in early 2015.  Since President Obama proposed national data breach legislation, additional data breach notification bills have been introduced in the House and Senate.  The House Subcommittee on Commerce, Manufacturing, and Trade also held a hearing on crafting a national data breach bill, debating the harm that should trigger notification obligations and the appropriate window for providing notifications.
  1. Exploring Big Data
  • White House report. Starting in March, the White House hosted a series of public workshops across the country to review “the implications of collecting, analyzing, and using” big data.  The workshops culminated in the publication of the White House’s Big Data Report, outlining the Administration’s approach to open data and privacy, public- and private-sector management of data, and a proposed policy framework for big data, along with other recommendations concerning privacy values, educational innovation, big-data discrimination, law enforcement, and public-resource data.
  • FTC workshop.  Building on these efforts to understand big data, last September the FTC hosted a public workshop on the topic.  Specifically, the workshop explored big data’s impact on low-income and underserved consumers and the extent to which practices and outcomes facilitated by big-data analytics could have discriminatory effects on protected communities.
  1. Mobile App Enforcement
  • Device tracking.  Starting in February, the FTC held a series of workshops focused on mobile-device tracking, which has gained attention as brick-and-mortar retailers have begun tracking signals emitted from customer devices in order to better understand shopping habits.  On the state side, the California Attorney General released guidelines to help websites comply with a state law requiring websites to explain whether and how they respond to Do Not Track requests.
  • Consumer consent.  Throughout 2014, the FTC brought complaints against several tech giants — including Apple, Amazon, and Google — alleging that the companies billed parents and other account holders for children’s in-app activities without obtaining proper consent.
  • App security and disclosures.  The FTC also obtained settlements with mobile-app providers Credit Karma, Fandango, and Snapchat, for allegedly failing to provide reasonable security for personal information or adequate disclosures regarding security and data-collection practices.  In August, the FTC issued a report examining the consumer-protection implications of popular shopping apps, finding that these types of mobile apps frequently failed to provide sufficient pre-download disclosures to consumers. 
  1. Increasing Scrutiny of Data Brokers
  • Federal legislation.  In early 2014, Senators John D. Rockefeller IV (D-WV) and Ed Markey (D-MA) introduced the Data Broker Accountability and Transparency Act, which would require greater transparency from data brokers about consumer information they collect and sell.  Following a majority staff report’s finding that some data brokers sell sensitive information, such as data about financial vulnerability, without any mechanism for consumers to control or correct their information, the Act was drafted with an express concern that data brokers operate “behind a veil of secrecy” and with “very little scrutiny and oversight” in a multibillion-dollar industry handling large quantities of personal information.
  • FTC report.  Simultaneously with the White House Big Data Report, the FTC released its Data Broker Report, urging Congress to consider legislation promoting transparency and consumer access to information held by data brokers, and calling on data brokers to adopt best practices like privacy by design.
  1. Wyndham v. FTC
  • Issue.  The FTC alleged that Wyndham Hotels violated Section 5 of the FTC Act’s prohibition against “unfair practices” by failing to provide “reasonable” security for the personal information of its customers.  Unlike most FTC data security cases, which settle before the FTC files a complaint in federal court, Wyndham refused to settle, and instead challenged the FTC’s authority to bring data security cases under Section 5.
  • Denial of motion to dismiss.  In April, Judge Esther Salas of the U.S. District Court for the District of New Jersey disagreed with Wyndham and denied its motion to dismiss, concluding that Section 5 provides the FTC with the authority to regulate data security.
  • Interlocutory certification.  Recognizing that no federal appellate court has ruled on the issue before, Judge Salas certified the case for review by the U.S. Court of Appeals for the Third Circuit.
  • Third Circuit review.  In August, the Third Circuit agreed to review the lower court’s decision.  The case has been briefed and now awaits argument.  Assuming that the Third Circuit publishes its opinion in this case, the ruling would be binding in Delaware, New Jersey, and Pennsylvania.  It also likely would be highly persuasive in other jurisdictions.
  1. Emerging Regulation of the Internet of Things
  • NSTAC Report.  In February, the Industrial Internet Subcommittee of the National Security Telecommunications Advisory Council (“NSTAC”) released a report on the Internet of Things, concluding that the federal government has less than 5 years, and possibly as few as 3 years, to influence how the Internet of Things is adopted to mitigate the associated cybersecurity risks.
  • Proposal for V2V communication.  In August, the National Highway Transportation Safety Administration (“NHTSA”) and the Department of Transportation (“DOT”) initiated rulemaking to require vehicle-to-vehicle (“V2V”) communication on new model cars and trucks.  The notice of proposed rulemaking included an interim privacy risk assessment of NHTSA and DOT’s proposed framework for V2V communication.
  • Voluntary Code of Conduct for Smart Grid Data Privacy.  The Department of Energy and the Federal Smart Grid Task Force also solicited comments on a Voluntary Code of Conduct for Smart Grid Data Privacy (“VCC”) in late 2014 before releasing a final version of the VCC in January 2015.  Although the VCC’s impact could be limited by its voluntary nature and lack of external enforcement, it provides a framework that utilities and third parties can use to govern their collection, use, and disclosure of smart grid data.
  • More interest in 2015.  Following the release of the FTC’s long-anticipated Internet of Things report in January, interest in the Internet of Things should only continue to grow in 2015.  Resulting from the FTC’s Internet of Things workshop in November 2013, the report provided key recommendations on security, data minimization, and consumer notice and choice.  The Senate Commerce Committee also held a hearing in February to examine how the federal government should regulate the Internet of Things.
  1. Limiting Use of Drones
  • FAA proposal and privacy advocates’ concerns.  This month, the FAA released a Notice of Proposed Rulemaking that would allow limited commercial use of drones less than 55 pounds.  Over the past year, news of the FAA’s plans has raised a number of privacy concerns, such as fears that companies and the government would use drones to spy on individuals.
  • White House response.  To address these concerns, the White House released a memorandum that limits the government’s ability to use drones to collect information about individuals, and requires the government to be transparent about its drone use.  The memorandum also directs the National Telecommunications and Information Administration to work with the private sector to develop voluntary best practices for drone use.
  • Federal legislation.  In December, retiring Sen. Jay Rockefeller released a bill that would prohibit the use of drones for surveillance of an individual without the individual’s prior express consent and require drone operators to anonymize and aggregate information about individuals who have not provided prior express consent.
  1. Reforming NSA Data Collection
  • Restricting collection and expanding disclosure.  In January, President Obama called for an “end” to the National Security Agency’s (“NSA”) bulk data collection program “as it currently exists” and released a Presidential Policy Directive restricting the NSA’s ability to collect bulk data or target specific individuals surveillance.  Later in the same month, the Department of Justice loosened restrictions regarding public disclosure of Foreign Intelligence Surveillance Act (“FISA”) orders and National Security Letters, providing recipients of these requests with two options for disclosing to the public the approximate volume of the requests.
  • Federal legislation.  The White House also proposed legislation to restrict the collection of bulk calling records by the NSA.  Under the proposal, the records would be retained for 18 months by telecommunications providers, instead of the NSA, and the NSA would have to obtain a court order to access the records.  The House Intelligence Committee also proposed a similar bill, which included slightly looser restrictions on the FISA Court’s oversight of government data requests.  None of these bills, however, passed successfully.  One such bill, the USA Freedom Act, was blocked by Senate Republicans in November over concerns that the bill would hamper the government’s ability to fight terrorism.
  1. Sharing of Cyber Threat Information
  • DOJ/FTC Antitrust Policy Statement.  Although the concept of cyber threat information-sharing has been discussed for several years, the federal government took several small but important steps in 2014 towards making widespread sharing a reality.  In April, the Department of Justice (“DOJ”) and the FTC released a joint Antitrust Policy Statement, stating that the sharing of cyber threat information does not implicate antitrust concerns.  The DOJ reiterated this position in a business review letter in October, announcing that it had no intention of challenging the TruSTAR information sharing platform under antitrust laws.
  • Federal legislation.  Following these developments, Congress passed the National Cybersecurity Protection Act of 2014, which codified the National Cybersecurity and Communications Integration Center within the Department of Homeland Security as a platform for cyber threat information sharing between the public and private sector.  However, this bill did not provide any liability protection for the sharing of cyber threat information.  Passing information-sharing legislation that includes liability protections has remained a central issue in early 2015.  After President Obama proposed an information-sharing bill in January, the Senate Committee on Homeland Security and Governmental Affairs held a hearing to discuss with a cross-section of private industry stakeholders and cybersecurity experts the need for information sharing and liability protection.
  • Cyber Threat Intelligence Integration Center.  Last week, the White House announced the creation of the Cyber Threat Intelligence Integration Center, which will coordinate cyber threat intelligence from the FBI, the Department of Homeland Security, the National Security Agency, and other federal agencies.
  1. Telemarketing Enforcement
  • TCPA amendment.  In October 2013, the Federal Communications Commission amended its telemarketing rules under the Telephone Consumer Protection Act (“TCPA”) to require companies to collect consumers’ prior express written consent for autodialed or prerecorded telemarketing calls (including text messages) to wireless telephone numbers.
  • Increase in lawsuits.  Because statutory damages can reach $1,500 per call, the new TCPA rules have been attractive to class action plaintiffs’ lawyers.  TCPA lawsuits increased by 30 percent between September 2013 and September 2014.
  • Federal court ruling on definition of “autodialer.”  In a significant recent opinion, a federal judge in the Northern District of California dismissed a putative class action lawsuit under the TCPA, ruling that an automated telephone dialing system or “autodialer” is not used when a third party group inviter has provided the number that resulted in the initiation of the automated text by a company to a consumer.