On January 6, 2021, a bipartisan group of state legislators introduced the “Biometric Privacy Act,” (Assembly Bill 27), which would make New York only the second state with a private right of action against entities that improperly use or retain biometric information.  This is the third time that New York lawmakers have proposed such a bill.

The bill would protect individuals’ biometric identifiers, defined as fingerprints, voiceprints, retina or iris scans, and scans of face or hand geometry, as well as information based on such identifiers used to identify an individual.[1]

Under the bill, private entities in possession of biometric identifiers or information would need to develop and comply with publicly available written policies establishing retention schedules and guidelines for permanently destroying the identifiers or information when the initial purpose for collecting or obtaining them has been satisfied or within three years of the individual’s last interaction with the entity, whichever occurs first.  Private entities would also be required to store, transmit, and protect from disclosure all biometric identifiers and information using the reasonable standard of care in their industry, and in a manner that is the same as or more protective than the manner in which they store, transmit, and protect other confidential and sensitive information. Continue Reading New York Lawmakers Introduce Biometric Privacy Bill with Private Right of Action

The following post was originally included as part of our recently published memorandum “Selected Issues for Boards of Directors in 2021”.

Patchwork and continually changing regulation continues to be the trend in data privacy law, with 2020 adding new legislation to the fray and striking down some existing privacy structures. 2021 will likely be a time of reflection for businesses trying to adjust to impending new requirements in the face of an increasingly remote workforce and customer base.

Boards and management will need to ensure that their businesses not only adjust to the legislation that entered into force in 2020, but are also preparing for the implementation of additional legislation on the horizon. As always, boards and management will need to continue to monitor the evolving privacy compliance landscape to ensure that they are mindful of privacy obligations and attendant risks when implementing their business objectives and oversight going into 2021.

To read the full post, please click here.

For a PDF of the full memorandum, please click here.

In July 2019, the UK Information Commissioner’s Office (“ICO”) issued two notices of intent (“NOIs”) to fine British Airways (“BA”) and Marriott International Inc. (“Marriott”) for violations of the EU General Data Protection Regulation (“GDPR”), both related to high-profile personal data breaches. The NOIs proposed staggering fines of £183.39 million and £99.2 million, respectively, which would have constituted the largest penalties levied under the GDPR to date. More than a year later, the UK ICO finally issued the long-awaited penalty notices in relation to both investigations, imposing in both cases fines that, while still significant, were greatly reduced from what had initially been indicated – £20 million in the case of BA (a massive reduction of more than £163 million), and £18.4 million in the case of Marriott (an equally surprising reduction of more than £79 million). Continue Reading UK ICO Data Breach Fines – What Can We Learn From British Airways and Marriott?

Main Takeaways

Recommendations 01/2020 of the European Data Protection Board (the “EDPB”) on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the “Recommendations”)[1] attempt to provide a step-by-step roadmap to help EU data exporters transfer personal data outside the EU to third countries in a manner consistent with the judgment of the Court of Justice of the European Union (the “CJEU”) handed down on July 16, 2020, in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (“Schrems II”, further described in Section 1 below).[2] The Recommendations were published on November 11, 2020 and can be relied upon immediately, even though they are subject to public consultation, with comments being due prior to December 21, 2020. Continue Reading Recommendations of the EDPB Further to the CJEU’s Schrems II Judgment: One Step Forward, Two Steps Back?

On Monday, November 9, 2020, the U.S. Federal Trade Commission announced a proposed settlement with Zoom Video Communications, Inc. (“Zoom”), a video conferencing provider, regarding allegations that Zoom misrepresented its data security practices to users and designed its product to circumvent certain embedded security features of third-party software.  The proposed settlement requires Zoom to undertake a range of specific remedial measures related to its data security practices.  It also imposes multiple layers of reporting and certification requirements. Continue Reading FTC Announces Settlement with Zoom Regarding Data Security Practices

In the wake of one of the largest reported medical ransomware attacks in U.S. history,[1] the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC) and Financial Crimes Enforcement Network (FinCEN) issued last week a pair of advisories to assist in efforts to combat the increasing threat of ransomware attacks and related sanctions and anti-money laundering (AML) compliance issues.[2]  Like our blog post last month on the same topic, the advisories highlight the importance of considering the legal risks relating to ransomware payments and confirm that OFAC may pursue enforcement actions against ransomware payments that violate U.S. sanctions.[3] Continue Reading OFAC and FinCEN Issue Advisories on Cyber Ransom Payments

A two-minute global status update two and a half months after the Schrems II judgment of the CJEU: we are still in the dark, but there is hope for light at the end of the 2020 tunnel. Here are the main events since the judgment:

  1. Desperately Seeking Guidance: We are still waiting for definitive guidance from the EDPB, which issued FAQs setting out a clear summary of the judgment but did not offer much in terms of practical advice or an outlook for a stable framework to transfer personal data outside the European Union.
  2. Germans Not Wasting Time: Unable to wait for the EDPB, a German state data protection authority (the Baden-Württemberg Commissioner for Data Protection and Freedom of Information) issued concrete guidance which, while not binding on other authorities, may inspire others to do the same. In a bold move, it also gives recommendations for a revised set of standard contractual clauses (SCCs).
  3. Playing “Whack-A-Mole” in Ireland. As a direct consequence of the Schrems II judgment, Facebook had to immediately stop relying on the Privacy Shield and attempted to use SCCs to transfer personal data from its Irish to its U.S. companies. The Irish Data Protection Commission issued an order blocking that transfer, but Facebook obtained that this decision be temporarily stayed by Ireland’s High Court until it is reviewed by the court in November. In the meantime, Facebook appears to have again switched grounds and to now be transferring personal data from Ireland to the United States on the basis of article 49(1)(b) of the GDPR (claiming that the transfer is necessary for the performance of its contracts with individual clients). Unsurprisingly, Max Schrems is disputing that move as well.
  4. Cruella De Vil and 101 Complaints: None of Your Business (an organization with strong ties to Max Schrems) launched 101 complaints to stop certain transfers of personal data to the United States, and also exercised data subject access requests to survey main tech players on how the Schrems II judgment changed their international data transfer practices, but these efforts did not yield much results or traction yet.
  5. Join the Club: Data protection authorities in Switzerland and Israel both followed the CJEU’s lead and declared the privacy shield no longer a valid ground to transfer personal data to the United States. This may inspire others in the “club” of countries that have adopted a data protection regime that is similar to, or compatible with, the GDPR to further scrutinize data transfers to the United States.
  6. The Empire Strikes Back: The U.S. administration only recently fought back by publishing a white paper explaining that the CJEU failed to take into consideration certain pro-privacy features of its legal regime, and giving arguments to data exporters in the European Economic Area wishing to use SCCs to transfer personal data to the United States. A call for clarity quickly followed.
  7. Announcing a Christmas Miracle: While talks between the European Commission and the U.S. Department of Commerce are underway “to evaluate the potential for an enhanced EU-U.S. Privacy Shield”, a more realistic option in the short run comes from the announcement by Executive Vice President of the European Commission Margrethe Vestager that revamped sets of SCCs will be issued before the end of the year. As ambitious as this may sound, the commissioner herself recognized that this would only be an “intermediate solution”. A permanent one may come from efforts to achieve a federal data privacy regime in the United States, but it is safe to predict that no such legislative framework will see the light of day in 2020.

On September 15, 2020, the Securities and Exchange Commission issued a cease‑and‑desist order against Unikrn, Inc. concerning its 2017 initial coin offering  of UnikoinGold .  The SEC found that the Unikrn ICO violated the prohibition in Section 5 of the Securities Act of 1933 against the unregistered public offer or sale of securities.  The SEC imposed several remedies, including requiring Unikrn to permanently disable the UnikoinGold token and a civil money penalty of $6.1 million. Continue Reading SEC Issues Enforcement Action Against Unikrn, Inc. for its ICO, Prompting Rare Public Dissent from Commissioner Hester Peirce

Last month, reports surfaced that fitness technology company Garmin may have made a multimillion dollar payment in response to a ransomware attack with reported links to Evil Corp, a Russian hacking group subject to U.S. sanctions.  This incident and other recent reports of ransomware attacks against large companies highlights that companies should consider potential civil and criminal liability under U.S. sanctions laws when responding to ransomware attacks. Continue Reading Ransomware and Sanctions Compliance: Considerations for Responses to Attacks

Background

On August 20, 2020, the Department of Justice (“DOJ”) announced that it had charged Joseph Sullivan, the former Chief Security Officer (“CSO”) of Uber Technologies Inc. (“Uber”), with obstruction of justice and misprision of a felony for allegedly attempting to cover up Uber’s 2016 data incident during the course of an investigation by the Federal Trade Commission (“FTC”).  While the DOJ and federal law enforcement have generally treated corporate hacking targets as victims in connection with data breaches, the charges against Sullivan reinforce that they will actively pursue any violations of federal law that are committed by entities or individuals during the course of responding to such incidents. Continue Reading DOJ Charges Former Uber Executive for Alleged Role in Attempted Cover-Up of 2016 Data Breach