Alabama Passes Data Breach Notification Law; Breach Laws Now on the Books in All 50 States
And then there were none. Alabama has joined the ranks of the other 49 states with breach notification requirements by enacting the Alabama Data Breach Notification Act of 2018 (the “Act”). The Act, which was signed into law by Alabama Governor, Kay Ivey on March 28, 2018, requires companies to provide Alabama residents with notification of a breach within 45 days of discovery. Notification is triggered by a determination of a breach that poses a risk of harm to impacted individuals. Alabama exempts from the definition of breach the good faith acquisition of sensitive personally identifying information by an employee or agent of a covered entity, unless the information is used for a purpose unrelated to the business or subject to further unauthorized use. Companies must notify the state AG in the same period if the breach requires notification of more than 1,000 “individuals” (defined as Alabama residents whose “sensitive personally identifiable information” was, or is reasonably believed to have been, accessed as a result of the breach). In addition, if more than 1,000 individuals are notified at a single time, companies must provide notice to consumer reporting agencies “without unreasonable delay.” Third parties who are contracted to process sensitive personally identifiable information must provide notice of a breach to the owner of that information within ten days of discovering the breach. Notice from a third party then triggers the 45-day notification period for the covered entity.
FCC and FTC Enter Memorandum of Understanding to Coordinate Regulation of ISPs
Following the recent adoption of the “Restoring Internet Freedom Order” by the Federal Communications Commission (FCC), the FCC and the Federal Trade Commission (FTC) have entered an agreement to coordinate their cooperation on the regulation of ISPs to protect consumer interest. (more…)
M&A Due Diligence: The Devil in Their Data
*Article first appeared in Corporate Board Member on November 7, 2017
At a time when a major cybersecurity incident can cost a company millions, it’s crucial that acquiring companies give cybersecurity the same level of scrutiny as they do more traditional risks and opportunities in the M&A due diligence process. Yet too many deals suffer from superficial consideration of these issues.
Why the disconnect? Unlike other areas where companies face legal and regulatory implications, in-house and outside legal teams often lack well-developed methods to analyze cybersecurity risks, too often considering them technical issues beneath the notice of the bankers and lawyers. In many cases, deal teams lack the skill sets to analyze the issues effectively and cannot even speak the language of the CIOs and CISOs well enough to spot “alternative facts.” Boards need to ensure that they or their advisers—preferably both—have sufficient skills to assess cybersecurity risks and ask the right questions. (more…)
FTC Uber Settlement Mandates a Comprehensive Privacy Program, Sheds Light on “Reasonable Data Security” Expectations, and Underscores Importance of Insider Threat Prevention
On August 15, the FTC announced that it had reached an agreement with Uber to settle allegations that the company had made deceptive claims about its privacy and data security practices. The FTC’s settlement with Uber has important implications for privacy and data security measures that companies could take, and the representations they and their employees make in these areas. It also shed greater light on what the FTC means by “reasonable data security” measures that companies should implement, and underscores the importance of maintaining a robust insider threat prevention program. (more…)
Federal Judge Finds No General Obligation for Companies To Protect Employee Data
In a ruling on March 31, Enslin v. The Coca-Cola Co. (E.D. Pa. Mar. 31, 2017), Hon. Joseph F. Leeson, Jr., of the United States District Court for the Eastern District of Pennsylvania, dismissed a proposed class action on behalf of 74,000 Coca-Cola employees. The proposed suit was brought by a former Coca-Cola technician who claimed that his identity was stolen after a laptop with his unsecured sensitive employee information fell into the public’s hands. (more…)
Italian DPA Imposes Largest Ever Fine Imposed by a European Data Protection Authority: UK Payments Company Found to Have Breached Consent and Other Rules
On February 2, the Italian Data Protection Authority, known as the “Garante,” imposed a fine of EUR 5,880,000 on a UK money transfer company that it found to be in violation of Italian data privacy rules. This is the largest ever publicly-known fine imposed by an EU data protection authority, and it approaches the level of fines that are likely to be imposed under the EU’s General Data Protection Regulation (“GDPR”) that will come into force in May 2018. Although the GDPR is not yet in force, the Garante’s enforcement action shows that European data protection authorities are willing to levy the kind of fines allowed by the GDPR.
2016 Year in Review and 2017 Preview: Top Ten for Data Protection and Privacy
2016 was a year of seismic changes in the global data protection and privacy landscape. Here, we look back at the top ten events and issues that shaped 2016, and are poised to shape the year ahead as well.
Year In Review
1. GDPR Adoption
On April 14, the European Parliament voted to adopt the long-awaited EU General Data Protection Regulation (GDPR), formally completing adoption of the GDPR. The GDPR was published in the Official Journal of the EU on May 25, 2016, giving companies and Member States until the May 25, 2018 effective date to implement the Regulation fully. In the wake of its adoption, businesses should have planning under way for implementation of the significantly expanded Regulation by evaluating whether they are subject to the expanded jurisdiction, and if so, completing an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning under the new 72-hour notice requirement, reviewing existing data protection notices and consents for the more robust obligations, identifying current profiling activities and existing data protection and retention policies and procedures, ensuring privacy impact assessments are carried out where required, and evaluating whether there is an obligation to appoint a data protection officer. Despite the time until the effective date, the extensive preparation necessary to comply presents a challenge as companies around the world refocus resources to develop compliance plans.
2. Political Cyber Warfare
There is a new front in geopolitical battles. (more…)
Federal Court Grants LabMD’s Motion to Stay Enforcement of FTC’s Final Order
The U.S. Court of Appeals for the Eleventh Circuit has ordered the FTC to halt enforcement of its data security order against LabMD while LabMD challenges the action.
To recap the events leading up to this stay, a data security company allegedly obtained sensitive data from LabMD via a peer-to-peer file-sharing program. Allegedly, after LabMD refused to purchase the company’s security products, it reported the alleged data security vulnerability to the FTC. The FTC accused LabMD of unfair practices in failing to provide reasonable and appropriate security for customers’ personal information, which was allegedly likely to cause harm to customers. In 2015, an Administrative Law Judge dismissed the case, finding that the FTC failed to prove LabMD’s practices were likely to cause substantial customer injury. In July 2016, upon appeal to the full Commission, the FTC reversed the ALJ decision. Although LabMD stopped operating in 2014, the FTC nevertheless ordered LabMD to implement several information security compliance measures because the Lab still maintains medical records. LabMD appealed to the Eleventh Circuit and filed a motion to stay the FTC’s order.
HHS Office for Civil Rights Updates Its Website with Guidance on HIPAA Audits and Unique Device Identifiers (UDIs)
HHS-OCR has updated its website with guidance on two important and current issues: ongoing HIPAA audits and deidentification. After officially launching phase two of its audit program earlier this month, sending notification letters to 167 covered entities, HHS-OCR has posted updated guidance on its website regarding the audits. Unrelated to the audits, OCR also posted guidance on the treatment of unique device identifiers (UDIs) under HIPAA’s standards for de-identification and limited data sets.
DHS and DOJ released final rules for treatment of shared cybersecurity threat information under CISA
The DHS and DOJ have issued final rules and guidance for receipt of cyber threat indicators and defensive measures, including Guidelines for privacy and civil liberties protections. On June 15, the DHS and DOJ announced the release of their joint rules for government handling of cybersecurity information shared by companies, along with expanded guidance for companies wishing to share cybersecurity threat information and take advantage of CISA’s liability shields for certain information sharing and defensive monitoring activities. The newly released rules incorporate and implement provisions of the Cybersecurity Information Sharing Act (CISA) which was passed in December 2015. CISA authorizes and protects information-sharing for certain cybersecurity purposes. It applies to all organizations and it offers companies a broad safeguard from liability for voluntarily sharing “cyber threat indicators” or engaging in certain cybersecurity “defensive measures.”