In late July 2019, U.S. federal and state regulators announced three headline‑grabbing data privacy and cybersecurity enforcement actions against Equifax and Facebook. Although coverage of these cases has focused largely on their striking financial penalties, as important are the terms the settlements imposed on the companies’ operations as well as their officers, directors, and compliance professionals—and what they signal about potential future enforcement activity to come.
Continue Reading
Cybersecurity
New York Passes Expansive New Cybersecurity Law
By Jonathan S. Kolodner, Rahul Mukhi & Russell Mawn on
On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”), which expands data breach notification obligations under New York law and for the first time imposes affirmative cybersecurity obligations on covered entities.
The Act makes five principal changes…
UK Regulator Intends to Fine Marriott £99 Million for Personal Data Breach, Spotlighting M&A Cybersecurity Diligence
By Daniel Ilan, Natalie Farmer & Tom Wales on
On 9 July, the UK Information Commissioner’s Office (“ICO”) issued a notice of its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 for alleged infringements of the EU General Data Protection Regulation ( “GDPR”) in connection with a cybersecurity incident notified to the ICO by Marriott in November 2018. The ICO’s public statement followed Marriott’s disclosure of the ICO’s intention to the US Securities and Exchange Commission (“SEC”) and comes just one day after the ICO published its notice of intention to fine British Airways £183.4 million (see our previous blog post here). The proposed fines, if enforced by the ICO, will be the two highest fines levied under the GDPR, to date.
…
Continue Reading
The DASHBOARD Act – Proposed New Law Would Force Large Technology Companies to Disclose the Value of Users’ Data
By Alexis Collins, Jane C. Rosen & Natalie Farmer on
On June 24th, Senators Mark Warner (D-VA) and Josh Hawley (R-MO) introduced a bill that would require large technology companies to regularly disclose to their users and the Securities and Exchange Commission (SEC) the value of the user data they collect and monetize. The bipartisan bill, cited as the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, is intended to capture major online platforms such as Amazon, Facebook, Google and Twitter that offer “free” services to users while monetizing user data through targeted advertising.
…
Continue Reading
UK Data Protection Regulator Issues Notice of Intention to Fine British Airways £183.4 Million for Personal Data Breach
By Natalie Farmer on
The UK Information Commissioner’s Office (“ICO”) has issued a notice of intention to fine British Airways following an extensive investigation into the British Airways cybersecurity incident (notified by British Airways to the ICO in September 2018). The fine of £183.4 million relates to various alleged infringements of the EU General Data Protection Regulation (“GDPR”).…
Continue Reading
District Court Finds Allegations That Data Breach Exposed Publicly Available and Non-Sensitive Personal Information Sufficient for Article III Standing
Potentially signaling an expansion of the scope of constitutional standing in data breach cases, a district court in the Northern District of California recently held that the exposure of users’ non-sensitive, publicly available personal information may be sufficient to establish an injury-in-fact.[1]…
Continue Reading
FTC Commissioners Continue Calls for National Data Privacy and Security Legislation
On May 8, 2019, Commissioners from Federal Trade Commission repeated their calls for federal data privacy legislation enforceable by the FTC at a hearing by the House Committee on Energy & Commerce titled “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.”…
Continue Reading
CFIUS Forces Kunlun to Unwind 2016 Acquisition of Grindr Over Concerns About the Protection of Sensitive Personal Data
Posted in Cybersecurity
On March 27, 2019, journalists affiliated with Reuters reported that the Kunlun Group (“Kunlun”), a China-based tech firm, was preparing to sell its wholly owned subsidiary, Grindr, after the Committee on Foreign Investment in the United States (“CFIUS”) informed the group that Kunlun’s continued ownership of Grindr constituted a national security risk. This forced divestiture of Grindr is a pointed reminder that CFIUS remains focused on protecting the sensitive personal data of U.S. citizens, has the power to upend closed deals that have not been cleared by the committee, and is dedicating increased resources to the review of transactions that are not notified to CFIUS.…
Continue Reading
Federal Trade Commission Issues 2018 Privacy and Data Security Update
By Alexis Collins & Margot G. Mooney on
Posted in Cybersecurity, Privacy
On Friday, March 15, 2019, the U.S. Federal Trade Commission (“FTC”) issued its 2018 Privacy & Data Security Update (the “Update”) detailing its activities last year in seven “zones” of privacy and data security: enforcement, advocacy, rules, workshops, reports and surveys, consumer education and business guidance, and international engagement. …
Continue Reading
Canadian Financial Regulator Publishes New Cyber Incident Reporting Guidelines Effective March 2019
On January 24 2019, Canada’s Office of the Superintendent of Financial Institutions (“OSFI”) released an Advisory detailing new requirements for Canadian federally regulated financial institutions (“FRFIs”) to report cyber incidents within 72 hours. FRFIs include banks, trust companies, loan companies, life insurance companies, property and casualty insurance companies, and fraternal benefit societies.
The new reporting requirements become effective on March 31, 2019.…
Continue Reading