On January 8, the FTC announced a settlement with VTech (a maker of electronic children’s toys) for violations of COPPA, adding to the regulatory activity mounting in the last few years around the Internet of Toys. The company agreed to pay $650,000 to settle allegations that its Kid Connect app and its Learning Lodge platform collected personal information from almost 3,000,000 children without providing direct notice and obtaining their parent or guardian’s consent. (more…)
This past year was marked by ever more significant data breaches, growing cybersecurity regulatory requirements at the state and federal levels and continued challenges in harmonizing international privacy and cybersecurity regulations. We expect each of these trends to continue in 2018.
As we begin this New Year, here is list of the top 10 privacy and cybersecurity issues for 2018: (more…)
On 10 October 2017, Jamaica introduced into its House of Parliament a comprehensive Bill for privacy and data protection, entitled “An Act to Protect the Privacy of Certain Data and for Connected Matters.” The new law would cover personal data, including data in an “accessible record” such as a health record or an educational record. If passed, the new law will be named the “Data Protection Act, 2017.” (more…)
On October 3, 2017, the Article 29 Working Party (“WP29”) adopted draft guidelines regarding notification of personal data breaches under the EU’s General Data Protection Regulation (“GDPR”) which will require breach notification within 72 hours of awareness of a breach. (“Draft Guidelines”) (The Draft Guidelines appear to have been released for public comment during the week of 16th October). The deadline for comment is November 24, 2017. The Draft Guidelines are available here. The WP29 is a collective of EU data privacy supervisory authorities (“DPAs”). (more…)
With the continued rise of data breaches rooted in a compromise of user credentials, interest has continued to build in more secure form of digital identities for authentication. Supporting controls for federal agencies as well as innovation in the market, the National Institute of Standards and Technology (“NIST”) published its four-volume Digital Identity Guidelines earlier this year on June 22, 2017. The Guidelines encourage online service providers (“OSPs”) to adopt design practices that promise to reduce unnecessary user frustration with password and identity verification systems, while at the same time increasing security. The primary purpose of the Guidelines is to promulgate technical requirements for federal agencies, businesses, however, could use the Guidelines as a baseline for their own cybersecurity systems—both to establish credibility and enhance the user experience. (more…)
On October 16, 2017, the U.S. Supreme Court granted the U.S. government’s request for review of a lower court decision that rejected the government’s construction of the Stored Communications Act (SCA) and embraced a more restrictive view that Microsoft had advanced, backed by much of the tech industry and many privacy groups. (more…)
On September 22, 2017, Illinois Governor Bruce Rauner vetoed the proposed Geolocation Privacy Protection Act, which sought to limit the collection, use, retention, or disclosure of precise geolocation data from a mobile device without a person’s prior express and written consent. The General Assembly originally passed the bill on June 27, 2017. (For more background on the bill, see Illinois Becomes the First State to Pass a Geolocation Privacy Protection Bill (July 5, 2017)). (more…)