On June 27, 2018, Equifax Inc., the credit reporting agency, agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services (“NYDFS”) and seven other state banking regulators. The order imposes detailed duties on Equifax’s Board of Directors in response to criticisms raised by the regulators during an examination of Equifax’s cybersecurity and internal audit functions. The examination followed the company’s massive 2017 data breach, which exposed sensitive personal information of nearly 148 million customers. Equifax agreed to the order without admitting or denying any charges of “unsafe or unsound information security practices.”
On June 22, 2018, the United States Supreme Court decided Carpenter v. United States, in which it held that the government must generally obtain a search warrant supported by probable cause before acquiring more than seven days of historical cell-site location information (“CSLI”) from a service provider. Noting “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection,” the Court held that an individual “maintains a legitimate expectation of privacy in the record of his physical movements captured through CSLI” that warrants Fourth Amendment protection. While the Court sought to construe its decision narrowly, the reasoning of the majority and Justice Gorsuch in his dissent raise significant questions about whether and to what extent individuals may have a reasonable expectation of privacy or possessory interest in other sensitive personal data held by third parties beyond the CSLI at issue in Carpenter.
Please click here to read the full alert memorandum.
In response to pressure from advocacy group Californians for Consumer Privacy, on June 21, 2018, California lawmakers proposed a new law, the California Consumer Privacy Act of 2018, which would significantly expand consumers’ rights over their data. The proposed law would apply to entities that do business in California, collect consumers’ personal information or determine the purpose and means of processing such data, and satisfy at least one of the following: (i) have over $25 million in annual gross revenue, (ii) buy or receive, sell or share for commercial purposes, the personal information of 50,000 or more consumers, households or devices, or (iii) derive 50 percent or more of revenue from the sale of consumer personal information. Continue Reading California Introduces Bill Expanding Consumer Rights Over Data Privacy
In recent years, the Federal Trade Commission (“FTC”) has taken the lead among federal agencies in regulating the cybersecurity practices of companies that handle consumer personal information. The FTC has entered into numerous consent orders and other settlements with regulated companies that broadly require implementation and maintenance of information security programs that are “reasonably designed” to protect security and confidentiality of consumer information. A federal appeals court has now cast doubt on the viability of such orders. In a ruling issued on June 6, 2018, the Eleventh Circuit vacated a cease-and-desist order against LabMD, Inc. (“LabMD”) as unenforceable because it found that the order commanded an overhaul of the company’s data security program without providing a reasonably definite standard by which a court could determine compliance. Continue Reading Eleventh Circuit Vacates FTC Order Mandating Implementation of Cybersecurity Program
The consequences of a cybersecurity incident can be severe. The economic loss associated with an incident can often be compounded by reputational damage, loss of trade secrets, destruction of assets, operational impairment, lost revenue following the announcement of the cybersecurity incident and the expense of implementing remedial measures. The timing and content of any public communication about a suspected or confirmed cybersecurity incident can exacerbate this loss and have a significant impact on the trading price of the issuer’s securities. The disclosure considerations become even more complex when a company is subject to overlapping, and potentially conflicting, regulatory obligations in multiple jurisdictions, including the United States and the European Union (“EU”). This issue is now at the forefront with the EU’s new data security and privacy regime, the General Data Protection Regulation (“GDPR”), which became effective on May 25, 2018.
In the aftermath of the Facebook-Cambridge Analytica data privacy controversy, Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced a federal data privacy bill on April 10, 2018 titled the Customer Online Notification for Stopping Edge-provider Network Transgressions Act, or the CONSENT Act (the “Act”). While the Act is unlikely to pass in the near term given the lack of a Republican sponsor, it reflects increasing attention to privacy concerns in the United States, including consideration by both federal and state legislatures of significantly more prescriptive privacy requirements. Continue Reading CONSENT Act: Proposed Legislation a Sign of Potential U.S. Consent to Greater Privacy Protections?
Tomorrow, May 25, the European Union’s (“E.U.’s”) sweeping and much-awaited data security and privacy regulation known as the General Data Protection Regulation, or “GDPR,” will come into force. We have previously written a full analysis of the new requirements under the GDPR for companies subject to its jurisdiction.
Since the GDPR was formally approved in 2016, organizations around the world have devoted significant time and resources to preparing for the new law’s implementation. But while tomorrow is a deadline, it is also a start date—for compliance efforts that will require ongoing attention and adjustments in the months and years ahead. With this in mind, we have compiled the following tips and resources to aid companies in their ongoing efforts that will come after May 25: Continue Reading GDPR Compliance: Tips for What Comes <i>After</i> May 25
Last month, the Brazilian National Monetary Council (the “CMN”) issued Resolution No. 4,658 (the “Resolution”), which establishes new cybersecurity requirements covering institutions regulated by the Brazilian Central Bank (Banco Central do Brasil). The Resolution requires covered financial institutions to have cybersecurity policies in place by May 6, 2019, and be fully compliant with the regulation by December 31, 2021. Notably, the Resolution’s requirements cover third-party service providers that contract with covered institutions, including those located outside of Brazil. Continue Reading Brazil Issues new Cybersecurity Regulation for Regulated Financial Institutions
A recent FTC settlement highlights the need for companies to oversee their service providers, with respect to both collection of personal information and data security practices.
On April 24, 2018, Altaba, formerly known as Yahoo, entered into a settlement with the Securities and Exchange Commission (the “SEC”), pursuant to which Altaba agreed to pay $35 million to resolve allegations that Yahoo violated federal securities laws in connection with the disclosure of the 2014 data breach of its user database. The case represents the first time a public company has been charged by the SEC for failing to adequately disclose a cyber breach, an area that is expected to face continued heightened scrutiny as enforcement authorities and the public are increasingly focused on the actions taken by companies in response to such incidents. Altaba’s settlement with the SEC, coming on the heels of its agreement to pay $80 million to civil class action plaintiffs alleging similar disclosure violations, underscores the increasing potential legal exposure for companies based on failing to properly disclose cybersecurity risks and incidents.
Please click here to read the full alert memorandum.