On 9 July, the UK Information Commissioner’s Office (“ICO”) issued a notice of its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 for alleged infringements of the EU General Data Protection Regulation ( “GDPR”) in connection with a cybersecurity incident notified to the ICO by Marriott in November 2018. The ICO’s public statement followed Marriott’s disclosure of the ICO’s intention to the US Securities and Exchange Commission (“SEC”) and comes just one day after the ICO published its notice of intention to fine British Airways £183.4 million (see our previous blog post here). The proposed fines, if enforced by the ICO, will be the two highest fines levied under the GDPR, to date.
On June 24th, Senators Mark Warner (D-VA) and Josh Hawley (R-MO) introduced a bill that would require large technology companies to regularly disclose to their users and the Securities and Exchange Commission (SEC) the value of the user data they collect and monetize. The bipartisan bill, cited as the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, is intended to capture major online platforms such as Amazon, Facebook, Google and Twitter that offer “free” services to users while monetizing user data through targeted advertising.
The UK Information Commissioner’s Office (“ICO”) has issued a notice of intention to fine British Airways following an extensive investigation into the British Airways cybersecurity incident (notified by British Airways to the ICO in September 2018). The fine of £183.4 million relates to various alleged infringements of the EU General Data Protection Regulation (“GDPR”). Continue Reading UK Data Protection Regulator Issues Notice of Intention to Fine British Airways £183.4 Million for Personal Data Breach
Potentially signaling an expansion of the scope of constitutional standing in data breach cases, a district court in the Northern District of California recently held that the exposure of users’ non-sensitive, publicly available personal information may be sufficient to establish an injury-in-fact. Continue Reading District Court Finds Allegations That Data Breach Exposed Publicly Available and Non-Sensitive Personal Information Sufficient for Article III Standing
In the past year, members of the U.S. Congress and Senate on both sides of the aisle have proposed data privacy bills that would impose nationwide standards on companies who collect and/or share consumers’ personal information. Currently, all 50 states have separate, but often overlapping, data privacy regimes—each subjecting companies to various combinations of recordkeeping standards, data sharing restrictions, and data breach reporting requirements—creating a patchwork of state laws that can generate substantial uncertainty for corporations. Continue Reading Legislators Propose Differing Approaches to Federalizing Corporate Responsibility for Data Breaches
On 31 May 2019, the Supreme Court of Ireland dismissed Facebook’s appeal of the Irish High Court decision to refer questions regarding, among other things, the adequacy of the EU-U.S. Privacy Shield and the European Commission’s Standard Contractual Clauses to the Court of Justice of the EU (the “CJEU”). The CJEU will hear the case (C-311/18) on 9 July 2019. Continue Reading Data Transfer Mechanisms to be Reviewed by CJEU After Irish Supreme Court Dismisses Facebook Appeal
On May 8, 2019, Commissioners from Federal Trade Commission repeated their calls for federal data privacy legislation enforceable by the FTC at a hearing by the House Committee on Energy & Commerce titled “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.” Continue Reading FTC Commissioners Continue Calls for National Data Privacy and Security Legislation
On April 16, 2019, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert addressing all registered broker-dealers and investment advisers’ (together, “Firms”) privacy-related obligations under Regulation S-P (“Reg S-P”). The Risk Alert set out the most frequent Reg S-P deficiencies OCIE identified during examinations over the past two years, and encouraged registrants to review their written privacy policies and procedures as well as the consistency with which these policies and procedures have been implemented. The Alert is the latest in a series of recent privacy and cybersecurity guidance documents issued by the SEC, including the February 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures and October 2018 Report of Investigation on cyber-related frauds and public company accounting controls.
This Risk Alert is consistent with the SEC’s approach of seeking to influence the conduct of registrants by providing guidance on specific compliance issues, followed by Risk Alerts noting common exam deficiencies, prior to pursuing enforcement actions. Investment advisers and broker-dealers should take this as a prompt to review their relevant policies and procedures to ensure they are appropriate and being followed in practice. Continue Reading SEC Privacy Risk Alert may Foreshadow Upcoming Reg S-P Enforcement Against Broker-Dealers, Investment Advisers
On April 9, 2019, an appellate court in Illinois held in Liu v. Four Seasons Hotel, Ltd. that an employee’s allegations of violations of the state’s Biometric Information Privacy Act (“BIPA” or the “Act”) do not constitute allegations of “a wage or hour violation,” even where collection of biometric data is being used to monitor hours worked. Coming on the heels of the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corporation, which held that plaintiffs are not required to allege harm beyond a “technical” violation of the Act in order to bring an action under BIPA, Liu demonstrates a developing pattern of recognition of broad privacy rights in Illinois courts. Continue Reading Illinois Appellate Court Holds Employee Biometric Privacy Claims Are Independent Of Wage and Hour Disputes
On April 10, 2019, the Department of Justice (“DOJ”) released a white paper titled Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act. This white paper is the first official DOJ statement about the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) and reflects the DOJ’s current perspective on its scope and implications. Below we summarize the CLOUD Act and discuss the DOJ’s key observations. Continue Reading DOJ Releases White Paper Addressing Scope & Implications of CLOUD Act