By

Colleen Theresa Brown

14 June 2018

European Lawmakers Call on the EU to Suspend the EU-U.S. ‘Data Transfer’ Privacy Shield

On 11 June 2018, members of a Committee within the European parliament (“MEPs”) narrowly voted in favour of suspending the EU-U.S. Privacy Shield (“Privacy Shield”), an agreement that facilitates the transfer of personal data of EU data subjects to the U.S., unless the U.S. government fully complies with the Privacy Shield data protection requirements by 1 September 2018. Although the resolution is only a draft and has no legal effect, it reflects continued European concerns surrounding Privacy Shield.   (more…)

EmailPrintShare
12 June 2018

11th Circuit Vacates LabMD Enforcement Order; Casts Doubt on Decades of FTC Cybersecurity Enforcement Practices

In recent years, the Federal Trade Commission has increasingly exercised its enforcement authority to target deceptive and unfair information security practices.  During this time, enforcement actions have targeted companies for failing to honor their promises to implement “reasonable” or “industry standard” security practices, defend against well-known security threats, put in place basic security measures, or take many other basic data security steps.  And despite challengers arguing that the FTC provided insufficient notice before pursuing these actions or that the actions otherwise exceeded the FTC’s Section 5 enforcement authority, the Commission generally has a track record of successfully defending its prerogatives.     (more…)

EmailPrintShare
23 May 2018

FCC Asks for Input After ACA International v. FCC

The Telephone Consumer Protection Act (TCPA) bar has been reeling ever since the U.S. Court of Appeals for the D.C. Circuit overturned a couple of key Federal Communications Commission (FCC) rules in ACA International v. FCC, including the FCC’s overbroad interpretation of the definition of an autodialer. However, the ruling still left several key provisions in place that facilitate the potential for significant liability and sow uncertainty for everyday business and compliance operations. Now the commission has issued a public notice seeking input about how it should interpret the TCPA. Comments are due June 13, 2018, with replies due June 28. (more…)

EmailPrintShare
17 May 2018

Georgia Governor Vetoes Broad-Reaching Computer Crime Bill, Highlighting Debate Around Bug Bounty Programs

On May 8, Georgia Governor Nathan Deal announced that he was vetoing Senate Bill 315 (“SB 315” or “the bill”), cybersecurity legislation that would have expanded the criminalization of “unauthorized computer access” to capture, in addition to traditional hacking, activity that opponents warned is necessary to robust private and public sector cyber defense.  In his veto statement, Governor Deal commented that parts of SB 315 “have led to concerns regarding national security implications and other potential ramifications” that caused him to conclude that “while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so.” (more…)

EmailPrintShare
15 May 2018

DFAR Cybersecurity FAQs Provide Practical Guidance Highlighting Expansive Scope of Contractor Requirements

For defense contractors, January 1, 2018 brought with it not only a new year, but also a new era – an era in which contractors must comply with the entire set of more detailed cybersecurity requirements under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012.  As we have flagged before on Data Matters, this DFRAS provision applies to all Department of Defense (DOD) contracts (except for those involving commercial, off-the-shelf items) and places a number of substantial obligations on contractors, including that they comply with the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” and report certain cyber incidents to DOD. (more…)

EmailPrintShare
11 May 2018

Arizona Updates Data Breach Law

Changes to data breach notification laws continue to pop up across the country this Spring.  The latest comes from a new law signed by Arizona Governor Doug Ducey that amends the state’s data breach standards.  Although much of the Arizona law has remained the same, the new law updates a few key provisions, including the definition of personal information, the requirements for the content of the data breach notice, the timing of notice, and the capping of penalties.  (more…)

EmailPrintShare
30 March 2018

Alabama Passes Data Breach Notification Law; Breach Laws Now on the Books in All 50 States

And then there were none. Alabama has joined the ranks of the other 49 states with breach notification requirements by enacting the Alabama Data Breach Notification Act of 2018 (the “Act”). The Act, which was signed into law by Alabama Governor, Kay Ivey on March 28, 2018, requires companies to provide Alabama residents with notification of a breach within 45 days of discovery.  Notification is triggered by a determination of a breach that poses a risk of harm to impacted individuals. Alabama exempts from the definition of breach the good faith acquisition of sensitive personally identifying information by an employee or agent of a covered entity, unless the information is used for a purpose unrelated to the business or subject to further unauthorized use. Companies must notify the state AG in the same period if the breach requires notification of more than 1,000 “individuals” (defined as Alabama residents whose “sensitive personally identifiable information” was, or is reasonably believed to have been, accessed as a result of the breach). In addition, if more than 1,000 individuals are notified at a single time, companies must provide notice to consumer reporting agencies “without unreasonable delay.” Third parties who are contracted to process sensitive personally identifiable information must provide notice of a breach to the owner of that information within ten days of discovering the breach. Notice from a third party then triggers the 45-day notification period for the covered entity.

(more…)

EmailPrintShare
26 March 2018

South Dakota Becomes 49th State to Enact a Data Breach Notification Law

On March 21, Governor Daugaard of South Dakota signed SB 62, making South Dakota the 49th state to enact a data breach notification statute (leaving only Alabama without a state data breach law).  South Dakota’s attorney general issued a statement after the law was signed, observing that the connected economy comes with “an increased risk of theft and fraud,” and “we need the tools to combat these breaches and thefts of our personal information.” (more…)

EmailPrintShare
20 March 2018

D.C. Circuit Strikes Down Some Rules Governing Telephone Consumer Protection Act, Upholds Others

On March 16, 2018, the U.S. Court of Appeals for the D.C. Circuit issued a long-awaited ruling on a challenge to the Federal Communications Commission’s 2015 order that expanded the scope of the Telephone Consumer Protection Act (“TCPA”). In ACA International v. FCC, No. 15-1211, the court invalidated a rule that had broadly defined automatic telephone dialing systems, or “auto-dialers”; it also struck down the FCC’s approach to situations where a caller obtains a party’s consent to be called but then, unbeknownst to the caller, the consenting party’s wireless number is reassigned. In the same ruling, the court upheld the FCC’s decision to allow parties who have consented to be called to revoke their consent in “any reasonable way,” as well as the FCC’s decision to limit the scope of an exemption to the TCPA’s consent requirement for certain healthcare-related calls.

(more…)

EmailPrintShare
1 2 3 9
XSLT Plugin by BMI Calculator