Companies with robust cybersecurity programs may still be vulnerable to attack. A new, first-of-its-kind law in Ohio now recognizes this fact. On November 1, 2018, the Ohio Data Protection Act (SB 220) establishes a safe harbor from state tort actions in data breach cases for entities that have developed an information security program with “administrative, technical, and physical safeguards for the protection of personal information and that reasonably conforms to an industry recognized cybersecurity framework.” Without establishing minimum cybersecurity standards, the Ohio law affords defendants an “affirmative defense” against state tort actions and establishes an important precedent that may serve as a model for other states and the federal government to follow. (more…)
As one of the epicenters of the Information Age and largest state in the Nation, California’s regulatory decisions can have an outsize impact on the data economy. Recently, the State has tried to use this pride of place to stamp its imprint on two important public debates. First, on September 30, 2018, Governor Brown signed into law the California Internet Consumer Protection and Net Neutrality Act of 2018 (Senate Bill 822), which seeks to impose, as a matter of state law, net neutrality regulation even more restrictive than the federal regime the Federal Communications Commission (FCC) repealed earlier this year. Second, earlier this year, California enacted (and then subsequently amended) the California Consumer Privacy of 2018, the broadest privacy law in the United States. As laid out below, these enactments have sparked legal and policy debates over whether California should be able to set rules that could become de facto national standards or whether federal rules do or should preempt California’s efforts. (more…)
*This article first appeared in the Washington Post on September 26, 2018.
In a recent piece for Washington Post Outlook, Chris Fonzone and Josh Geltzer (from the Georgetown Law Center’s Institute for Constitutional Advocacy and Protection) explained why a legal case that began with a dispute between a Loudoun County supervisor and a constituent may help set a new standard for online interaction nationally:
A legal case that began with a dispute between a member of the Loudoun County Board of Supervisors and a constituent may help to set the rules for how government officials — up to and including President Trump — interact with the public online. A federal appeals court in Richmond will hear the case this week, and, while the stakes of the conflict may seem small at first — one man was banned for a day from an official’s Facebook page — it has potentially enormous First Amendment implications. (more…)
On July 31, 2018, the U.S. Office of the Comptroller of the Currency (OCC) announced its decision (the Fintech Charter Decision) to begin accepting applications from financial technology (fintech) companies for special purpose national bank charters.1 The OCC has indicated it will not grant a charter to a fintech company that wishes to accept deposits or engage in fiduciary activities (for business plans that involve purely fiduciary activities, a limited purpose trust charter may provide an alternative vehicle). The Fintech Charter Decision is discussed in greater detail in a prior Sidley Banking and Financial Services Update.2
On September 14, the New York State Department of Financial Services (DFS) filed a federal court complaint seeking to enjoin further actions by the OCC to implement the Fintech Charter Decision and related actions, arguing that such acts are lawless, ill-conceived and destabilizing of financial markets. DFS also argued that such acts are beyond the OCC’s statutory authority and in violation of the Tenth Amendment to the U.S. Constitution, alleging that the police power to regulate financial services and products delivered within a state’s own geographical jurisdiction is among a state’s fundamental sovereign powers.3 (more…)
Ever since the D.C. Circuit struck down the FCC’s overbroad rule defining “auto-dialers” under the Telephone Consumer Protection Act, district courts have debated the scope of the D.C. Circuit’s ruling: Did it effectively strike down earlier FCC pronouncements on what qualifies as an auto-dialer? In a carefully reasoned opinion, a district court judge in Chicago held last week that it did. (more…)
*Originally Published July 12, 2018 by Chambers and Partners Data Protection & Cyber Security 2018
There is a lot going on with privacy around the world. As discussed in the chapters of this book, significant new laws are being adopted or taking effect, important judicial decisions are being decided to interpret existing legal requirements, and citizens are contending with their own expectations about confounding new technologies and business models. It is not clear, however, that the public policy being developed in any country is a thoughtful reaction to the promises and perils of today’s digital economy, rather than a knee-jerk over-reaction to imagined harms and a handful of high-profile incidents. (more…)
On June 25, the United States Court of Appeals for the First Circuit in Cullinane v. Uber Technologies, Inc., __ F.3d __, 2018 WL 3099388 (1st Cir. 2018), evaluated the enforceability of arbitration provisions in online contracts. The First Circuit found Uber’s arbitration provision, which contained a class action waiver, unenforceable because Uber did not make its terms of service sufficiently conspicuous. Cullinane highlights the importance of obtaining customers’ affirmative consent to an online contract and reaffirms that conspicuousness of the arbitration agreement and the form of assent that retailers require from consumers remain paramount.
In recent years, the Federal Trade Commission has increasingly exercised its enforcement authority to target deceptive and unfair information security practices. During this time, enforcement actions have targeted companies for failing to honor their promises to implement “reasonable” or “industry standard” security practices, defend against well-known security threats, put in place basic security measures, or take many other basic data security steps. And despite challengers arguing that the FTC provided insufficient notice before pursuing these actions or that the actions otherwise exceeded the FTC’s Section 5 enforcement authority, the Commission generally has a track record of successfully defending its prerogatives. (more…)
Whether you are marking today with a glass of champagne, a shot of whiskey, or a hot cup of tea, today marks a significant day for privacy professionals world-wide.
Here’s to all of the privacy professionals who have put in so many hours to prepare for the GDPR, fully effective as of Friday May 25, 2018 at midnight in Brussels; that is 6 PM eastern on Thursday, May 24th for toasting purposes.
For business executives, policymakers, and consumers who have become aware of the GDPR in recent weeks and are interested in learning more, visit our GDPR resource page here.
The Telephone Consumer Protection Act (TCPA) bar has been reeling ever since the U.S. Court of Appeals for the D.C. Circuit overturned a couple of key Federal Communications Commission (FCC) rules in ACA International v. FCC, including the FCC’s overbroad interpretation of the definition of an autodialer. However, the ruling still left several key provisions in place that facilitate the potential for significant liability and sow uncertainty for everyday business and compliance operations. Now the commission has issued a public notice seeking input about how it should interpret the TCPA. Comments are due June 13, 2018, with replies due June 28. (more…)