Delaware Expands Data Breach Notification Statute

Governor John Carney signed Delaware’s updated breach notification law on August 17, 2017.  The revised law, which will come into force on April 14, 2018, includes key changes to the definition of personal information, introduces credit monitoring obligations, and heightens notice requirements. The law will also create new general information security requirements.

Read More

SHARE
EmailPrintShare

Eighth Circuit Rejects Implied Premise that a Hack Is Tantamount to Inadequate Information Security, Ruling Such “ ‘Naked Assertions’ … Cannot Survive a Motion to Dismiss.”

The Eighth Circuit held on August 21 that, in the absence of actual injury in a data breach case, “massive class action litigation should be based on more than allegations of worry and inconvenience.”  The Court found that no customers of the defendant securities brokerage firm had suffered fraud or identity theft resulting in financial loss from a 2013 data security incident.*  Kuhns v. Scottrade, Inc., Nos. 16-3426, 16-3542 (8th Cir. Aug. 21, 2017).

In a decision that is replete with great holdings and quotable language for defendants in data breach litigation, the Eighth Circuit demonstrated that even where constitutional standing is found, plaintiffs will not likely succeed if they can allege no real injury even years after the hack occurred.

Read More

SHARE
EmailPrintShare

FTC Uber Settlement Mandates a Comprehensive Privacy Program, Sheds Light on “Reasonable Data Security” Expectations, and Underscores Importance of Insider Threat Prevention

On August 15, the FTC announced that it had reached an agreement with Uber to settle allegations that the company had made deceptive claims about its privacy and data security practices. The FTC’s settlement with Uber has important implications for privacy and data security measures that companies could take, and the representations they and their employees make in these areas. It also shed greater light on what the FTC means by “reasonable data security” measures that companies should implement, and underscores the importance of maintaining a robust insider threat prevention program.

Read More

SHARE
EmailPrintShare

Ninth Circuit Issues Long-Awaited Decision on Standing After Remand From Supreme Court

On August 15, 2017, the Ninth Circuit again addressed whether a violation of the Fair Credit Reporting Act (FCRA) constitutes a sufficiently concrete and particularized harm to satisfy Article III’s injury-in-fact requirement. In Robins v. Spokeo, No. 11-56843, the court found for a second time that plaintiff Thomas Robins had adequately alleged standing. Plaintiffs may cite this ruling to oppose motions to dismiss for lack of standing in other FCRA cases or cases alleging other statutory violations, but the actual impact of the opinion may be limited to cases involving closely similar facts.

Read More

SHARE
EmailPrintShare

Influential Stakeholders Debate a Cross-Sector Approach in Using Big Data for Improving Human Health

Big Data has been a hot topic of discussion in recent years. This was especially the case in Brussels, where the fiercely debated EU General Data Protection Regulation (GDPR) was adopted in 2016. A major concern for all of us is personal privacy. Less discussed is the use of Big Data for social good.

A traditional sectoral approach to harnessing the potential of Big Data for social good is insufficient. This is the case in terms of organisations from different sectors partnering to develop new technologies. It also means that legislation and policies on Big Data must be forward thinking and facilitate cross-sectoral co-operation.

Read More

SHARE
EmailPrintShare

SEC’s OCIE Cybersecurity Risk Alert Announces Cybersecurity 2 Observations

On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity Risk Alert summarizing its observations from its second cybersecurity survey of financial services firms.  Overall, OCIE observed increased cybersecurity preparedness since its first 2014 “Cybersecurity 1” Initiative, but also the SEC noted a number of areas where compliance and oversight merit attention.  Perhaps the most general observation from the “Cybersecurity 2” risk alert is that, while the OCIE noted that most firms now have written policies and procedures, the message was clear that simply having a generic policy is not adequate.  Firms must instead have policies that are adapted to their actual operations as well as procedures that demonstrate the implementation of these policies and documented results of compliance with those procedures. 

Read More

SHARE
EmailPrintShare

State Privacy Laws: New Jersey Passes Consumer Privacy Act

State laws governing the collection and use of personal information continue to proliferate. The latest comes from New Jersey, which on July 21, 2017, signed into law legislation that restricts a merchant’s ability to collect personal data of shoppers and share such data with third parties.  New Jersey’s Personal Information Privacy and Protection Act permits retailers to scan an identification card only for certain purposes—such as verifying the consumer’s identity—and requires retailers to store such data securely.  Further, a retailer may not share the data with a third party unless the retailer discloses its data-sharing practices to the consumer.

Read More

SHARE
EmailPrintShare
SHARE
EmailPrintShare
XSLT Plugin by BMI Calculator