Earlier this year, U.S. Customs and Border Protection (“CPB”) revealed that, in 2017, it searched the electronic devices of approximately 50 percent more travelers than it had in the previous year. The same day, it announced that it was issuing new search guidelines for the first time since August 2009. Continue Reading New Rules for Searching Electronic Devices at the U.S. Border

In the wake of recent high-profile data breaches and in the absence of federal data protection legislation, states continue to propose new laws aimed at protecting the personal data of their residents.  On January 23, 2018, the Senate Judiciary Committee of South Dakota approved and forwarded for consideration by the full senate a bill that would require companies and individuals who operate and collect personal data in South Dakota to report data breaches affecting residents of the state within 60 days of discovery and, if more than 250 residents are affected by a data breach, to the Attorney General and consumer reporting agencies as well.  Following a number of comments received from state business associations, the Senate Judiciary Committee added to the proposed bill a threshold for risk of harm such that if, pursuant to “an appropriate investigation” and following notice to the Attorney General, a company reasonably determines that a breach is not likely to result in harm to an affected South Dakota resident, then notice to such resident is not required.  Failure to comply with the breach notification law could constitute a “deceptive act or practice” under state law enforceable by the Attorney General, who is also empowered under the law to recover civil damages not to exceed $10,000 per violation per day.  The bill will next be considered by the full senate and if passed, would leave Alabama as the sole U.S. state without a consumer data breach notification law. Continue Reading South Dakota and Colorado are Latest States to Propose New Data Privacy Laws

On January 18, the Federal Trade Commission (“FTC”) released its Privacy & Data Security Update: 2017, describing its activities in the areas of consumer privacy and data security during the past year.

The report highlights the breadth of the FTC’s enforcement actions, both under Section 5 of the FTC Act, which prohibits unfair or deceptive practices in the marketplace and is the FTC’s primary tool with respect to consumer privacy and data security, and under various sector specific laws, such as the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act (the Safeguards Rule, Privacy Rule and Regulation P), the Children’s Online Privacy Protection Act and the Telemarketing Sales Rule (Do Not Call provisions).  The report also describes the FTC’s efforts to enforce international privacy frameworks, including the FTC’s first three enforcement actions under the EU-U.S. Privacy Shield framework.  Finally, the report highlights the FTC’s efforts in other areas, such as advocacy, consumer education, business guidance and policy development.

The full report can be found here.

Over the last year, the existential risk posed by cyberattacks and data security vulnerabilities has become one of the top concerns for boards of directors, management, government agencies, and the public.

This memo surveys some of the key cybersecurity and data privacy developments of 2017, including the major data breaches and cyberattacks, regulatory and legislative actions, and notable settlements and court decisions, with an eye towards what may be in store in 2018.

The new mandatory personal data breach notification regime introduced by the GDPR should be a key area of focus for organizations seeking to put in place GDPR compliance programs.  Personal data breaches are not only increasingly frequent and on the front pages, they are also one of the most likely causes of complaints being made by individuals against an organization and most likely subjects of investigation by data protection authorities (“DPAs”).  Regardless of whether an organization is at fault in allowing a breach to occur, its response will materially affect the impact of the breach on data subjects, and therefore the potential consequences for the organization itself.  Personal data breach management – of which breach notification forms a large part – should therefore be a priority area in any organization’s compliance efforts, including with respect to the GDPR.  Continue Reading Notification of data breaches under the GDPR – 10 Frequently Asked Questions

On December 27, 2017, the New York Secretary of State sent a demand letter to Equifax Inc.’s interim CEO requesting additional information to aid the Division of Consumer Protection’s efforts “to investigate, mediate and/or mitigate identity theft complaints from consumers generally” as well as its investigation into the data breach disclosed by Equifax, Inc. on July 29, 2017, in which the personal data of approximately 143 million individuals (including 8.4 million New York residents) was compromised.  The letter demands that Equifax, Inc. provide a direct contact to respond to consumer concerns and requests information in 10 categories, including (a) a summary of the credit reporting agency’s plan (if any) to make affected New York residents “whole” following the breach, (b) a copy of the forensic review prepared by the cybersecurity firm Mandiant, (c) New York-specific data for those consumers whose credit card details or dispute documents containing personally identifiable information were exposed in the breach and (d) the number of children 15 years old and younger affected by the breach, nationwide as well as within New York, and the “long-term protection response” (if any) created for such affected children.  The demand was made pursuant to emergency regulations adopted by the Department of State in December 2017 that require credit reporting agencies to respond to requests made by the Division of Consumer Protection within 10 business days.  A company spokesperson for Equifax, Inc. confirmed on January 4, 2018 that the credit reporting agency intends to respond to the demand letter within the required time period.  This demand is the latest development in a plethora of investigations by various law enforcement agencies and regulators into the breach and follows requests for information from all 50 state attorneys general as well as a subpoena from the New York Department of Financial Services (“DFS”). Continue Reading New York Regulator Demands Additional Information from Equifax

A recent decision by an intermediate Illinois appellate court, Rosenbach v. Six Flags Entm’t Corp.,[1] suggests that state courts—which are not bound by federal Article III standing limitations in entertaining suits—will not necessarily provide a more plaintiff-friendly forum for data privacy suits than their federal counterparts.

Earlier this month, we wrote about the Second Circuit’s summary order in Vigil v. Take-Two Interactive Software, Inc.[2]  There, the court affirmed the dismissal of a class action lawsuit brought in the Southern District of New York under the Illinois Biometric Information Privacy Act[3] (“BIPA”) for want of Article III standing because the plaintiffs had failed to allege an injury-in-fact, but remanded the case with instructions to amend the judgment and enter a dismissal without prejudice.[4]  The district court had ruled that the BIPA’s limitation of the private right of action to a “person aggrieved by a violation” meant that the plaintiffs’ failure to allege an injury-in-fact was also fatal to their claims as a matter of state law, meaning that the case should be dismissed with prejudice for failure to state a claim.[5]  The Second Circuit vacated that portion of the ruling on jurisdictional grounds, which left the door open for the plaintiffs to attempt to bring their claims in state court without any allegation of actual harm. Continue Reading Illinois Appellate Court Holds That Mere Technical Violations Of Data Privacy Statute Are Insufficient To State A Claim

In late November, the Second Circuit issued a summary order in Vigil v. Take-Two Interactive Software, Inc,[1] which affirmed the dismissal of a class action lawsuit brought in the Southern District of New York under the Illinois Biometric Information Privacy Act (“BIPA”) for lack of standing.[2]  In doing so, the court followed established Second Circuit precedent and highlighted the continuing difficulties plaintiffs face in establishing standing for certain technical violations of data privacy statutes, when those violations are unaccompanied by allegations of a breach or likelihood of improper access.  The case also serves as a reminder that as states pass statutes covering new types of technology and data, companies will need to remain vigilant in protecting a wider range of information than before. Continue Reading Second Circuit Issues Order Affirming Dismissal of Data Privacy Class Action Suit

Since the adoption of the General Data Protection Regulation (GDPR) in 2016, considerable attention has focused on the vastly increased scope of potential administrative fines, and even more attention is being paid to the issue with the GDPR becoming effective on May 25, 2018.  In this post, we summarize the key fining provisions, and analyze the recent relevant guidance on this issue from the Article 29 Working Party (an advisory group consisting of representatives from national data protection authorities together with the European Commission). Continue Reading Administrative Fines Under the GDPR

Following the generally positive assessment of the EU-U.S. Privacy Shield framework (the “Privacy Shield”) by the European Commission further to its first annual review, the Article 29 Working Party (an advisory group consisting of representatives from national data protection authorities together with the European Commission), released its own opinion (the “WP29 Opinion”), which was more critical and called for immediate actions to be taken on the part of the United States.

While the Article 29 Working Party praised some improvements made by U.S. authorities in terms of transparency and surveillance, the WP29 Opinion noted significant outstanding issues which ought to be remedied before the second annual review of the Privacy Shield or even earlier.  In particular, the Article 29 Working Party expressed concerns relating to the supervision of U.S. surveillance programs, the processing by U.S. authorities of personal data transferred under the Privacy Shield for national security purposes and the implementation of redress mechanisms available to individuals located in the EU against U.S. companies that are not using personal data in accordance with their commitments under the Privacy Shield.  The Article 29 Working Party has set out as priorities the appointment of an independent Ombudsperson entrusted with the appropriate powers, the clarification of internal procedural rules relating to the interaction between the Ombudsperson and other intelligence or oversight bodies (including declassification rules) and the appointment by the U.S. administration of the members of the Privacy and Civil Liberties Oversight Board contemplated by the Privacy Shield.  According to the Article 29 Working Party, those priority issues should be resolved by May 25, 2018, which is the deadline for compliance with the EU’s General Data Protection Regulation (GDPR) (please refer to our prior Alert Memo in that regard).

Other issues identified by the Article 29 Working Party related to the lack of information given to individuals in the EU regarding the exercise of their rights under the Privacy Shield and the need to increasingly monitor compliance of companies certified under the Privacy Shield.  The WP29 Opinion also provided specific recommendations with regard to the processing of employee data, rules regarding automated decision-making and the profiling of individuals, and the self-certification process by U.S. companies wishing to take advantage of the Privacy Shield.

The Article 29 Working Party advised that in the event of a failure to take the actions it prescribed in the WP29 Opinion within the next year, it reserved the right to challenge the validity of the European Commission’s adequacy decision underlying the Privacy Shield in national courts, which could result in its annulment. In that regard, some of the arguments the Article 29 Working Party could raise (such as the broad access to personal data by U.S. authorities for national security purposes) appear to be similar to those that resulted in the invalidation of the Safe Harbor scheme (the Privacy Shield’s predecessor) by the Court of Justice of the European Union in its Schrems v. Data Protection Commissioner judgment.

The Privacy Shield is also subject to pending challenges, one of which was dismissed on November 22, 2017, albeit not on substantive grounds but as a result of the applicant’s lack standing to act.  These challenges to the Privacy Shield echo other actions seeking to invalidate alternative legal grounds to transfer personal data from the EU to the United States, such as the one initiated by Mr. Schrems and the Irish Data Commissioner to question the legitimacy of so-called Standard Contractual Clauses (“SCCs,” also commonly referred to as Model Contracts), which is now pending before the Court of Justice of the European Union for a preliminary ruling.

The invalidation of both the Privacy Shield and the SCCs as approved methods for transferring personal data would cause serious disruptions in the flow of data and, as a result, business relations, between EU and U.S. companies.