In Landmark Case, Illinois Supreme Court Sets Low Bar For Claims Under Illinois’ Biometric Information Privacy Act
On January 25, 2019, the Illinois Supreme Court unanimously held that a plaintiff does not need to allege any actual injury or damages to successfully state a claim under the Illinois Biometric Information Privacy Act (BIPA). Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Jan. 25, 2019) (a copy of the opinion is available here). A violation of the statute by itself is sufficient to state a claim, even if no breach or misuse of the biometric information or identifier has occurred. Because BIPA includes stiff liquidated damages for violations, the court’s ruling is likely to lead to renewed interest by the plaintiffs’ bar in class action suits alleging BIPA violations. (more…)
EDPB Issues Long-Awaited Guidance on Territorial Scope of the GDPR
On November 23, 2018, the European Data Protection Board (“EDPB”) published draft guidelines seeking to clarify the territorial scope of the GDPR (“Guidelines”). The Guidelines have been eagerly awaited, particularly by controllers and processors outside of the EU looking for confirmation as to whether or not the EU data protection rules apply to them. The Guidelines largely reaffirm prior interpretations of the GDPR’s territorial application under Article (3)(1), and offer essential guidance with respect to the GDPR’s – heavily debated – extraterritorial application under Article (3)(2). The GDPR applies to companies established in the EU as well as companies outside of the EU that are “targeting” individuals in the EU (by offering them products or services) or monitoring their behavior (as far as that behavior takes place in the EU).
The proposed Guidelines are open for public consultation until January 18, 2019. It remains to be seen whether and how any outstanding issues will have been addressed upon conclusion of the consultation. (more…)
Senate Hearing on Federal Privacy Law: Question is Not Whether But What Form
On September 26, the Senate Commerce Committee invited tech and telecom companies to the Hill to discuss safeguards for consumer data privacy. “The question,” noted Chairman John Thune, “is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape that law should take.” The Senators and testifying witnesses expressed strong support for a comprehensive federal privacy law. (more…)
Movement Towards a Comprehensive U.S. Federal Privacy Law: Witnesses Prepare to Testify in Senate Hearing
The last six months have been busy ones for privacy watchers, with the entry into force of the GDPR and the enactment and amendment of the California Consumer Privacy Act.
An increasing number of eyes are now turning to the U.S. Congress to see how it will react to these developments, and Data Matters – and the privacy community generally – will thus be closely watching the Senate Committee on Commerce, Science, and Transportation on Wednesday, September 26, 2018, when it hosts a hearing titled “Examining Safeguards for Consumer Data Privacy.” (more…)
South Carolina Becomes the First State to Enact the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law
In October 2017, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law. According to NAIC’s news release announcing this development, the Model Law was meant to build on the organization’s cybersecurity progress and create a “platform that enhances our mission of protecting consumers.” (For more information on the development of the Model Law, see our prior coverage.) (more…)
SEC Issues New Guidance on Cybersecurity Disclosure Requirements
On February 21, 2018, the U.S. Securities and Exchange Commission issued interpretive guidance (the Guidance) to assist public companies in drafting their cybersecuritydisclosures in SEC filings. See 83 FR 8166 (Feb. 26, 2018). In his public statement accompanying the issuance of this guidance, SEC Chairman Jay Clayton said he believed that “providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.”1 In this new guidance, the SEC is likely intending to signal how it may focus future enforcement concerning the cybersecurity disclosure obligations of public companies, and their underlying disclosure controls, procedures and certifications. (more…)
U.S. Treasury Expresses National Perspective In Response to NAIC Insurance Data Security Model Law
On October 26, 2017, the U.S. Department of Treasury released a 176-page Report examining the current regulatory framework for asset management and insurance industries. The Report, titled A Financial System That Creates Economic Opportunities: Asset Management and Insurance, identifies laws and regulations that are inconsistent with the Trump Administration’s Core Principles for financial regulation as set forth in Executive Order 13772 (Feb. 3, 2017), and makes recommendations to ensure alignment. For data privacy and security, the Report commented on the Insurance Data Security Model Law (the “Model Law”) adopted by the National Association of Insurance Commissioners’ (the “NAIC”) on October 24, 2017 (for more information on the development of the Model Law, see our prior coverage). The Model Law attempts to set a baseline for cybersecurity, although it depends on legislative action on the state level. (more…)
Illinois’ Governor Vetoes the Geolocation Privacy Bill
On September 22, 2017, Illinois Governor Bruce Rauner vetoed the proposed Geolocation Privacy Protection Act, which sought to limit the collection, use, retention, or disclosure of precise geolocation data from a mobile device without a person’s prior express and written consent. The General Assembly originally passed the bill on June 27, 2017. (For more background on the bill, see Illinois Becomes the First State to Pass a Geolocation Privacy Protection Bill (July 5, 2017)). (more…)
SEC’s OCIE Cybersecurity Risk Alert Announces Cybersecurity 2 Observations
On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a cybersecurity Risk Alert summarizing its observations from its second cybersecurity survey of financial services firms. Overall, OCIE observed increased cybersecurity preparedness since its first 2014 “Cybersecurity 1” Initiative, but also the SEC noted a number of areas where compliance and oversight merit attention. Perhaps the most general observation from the “Cybersecurity 2” risk alert is that, while the OCIE noted that most firms now have written policies and procedures, the message was clear that simply having a generic policy is not adequate. Firms must instead have policies that are adapted to their actual operations as well as procedures that demonstrate the implementation of these policies and documented results of compliance with those procedures. (more…)
Illinois Becomes the First State to Pass a Geolocation Privacy Protection Bill
On June 27, 2017, the Illinois General Assembly passed a bill seeking to limit the collection, use, retention, or disclosure of precise geolocation data from a mobile device without a person’s prior express and written consent. This notable bill, the Geolocation Privacy Protection Act (“GPPA”), is on its way to Illinois Governor Bruce Rauner’s desk – although it is unclear if it will be signed or vetoed. If signed, this bill would mark the first state geolocation privacy protection bill in the country—and represent the most stringent requirements related to geolocation data in the nation, potentially creating complex issues for the rapidly proliferating variety of mobile Internet of Things devices. (more…)