Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector. This digest summarizes the most notable events in privacy and cybersecurity this week.
Connecticut Data Breach Law Updated
Connecticut enacted an updated data breach law, which will go into effect October 1, 2015. Among other things, the new law expands the definition of personal information, requires notice of breach within 90 days of discovery, requires the provision of at least 12 months of complimentary identity theft prevention services, and provides new administrative requirements for health insurers and state contractors.
$11.7 Million California Invasion of Privacy Act Class Action Settlement
A federal judge in California approved an $11.7M settlement between Six Continents Hotels Inc. and a class of about 7,000. The class sued the hotel chain alleging that customer service calls, which included the transmittal of personal information and credit card numbers, were recorded without their permission, violating California’s Invasion of Privacy Act. During the trial the judge rejected defendants’ argument that the California law was preempted by federal communications regulations.
China Expands National Security Law
China adopted a vague new cybersecurity law on July 1; the intent of which, Beijing states is to protect the security in “politics, culture, the military, the economy, technology and the environment.” The new law adds to foreign concern that Chinese state-owned enterprises will not be allowed to use foreign-produced technology, and that the new national cybersecurity “safety net” will complement the limiting Great Firewall internet controls.
Class Action Filed Against OPM over Massive Federal Worker Data Breach
The largest federal employee union, the American Federation of Government Employees (AFGE), filed a complaint in federal court and sought class action status alleging willful and intentional violations by the United States Office of Personnel Management (OPM) of the Privacy Act and Administrative Procedure Act related to the recent OPM data breach. The data breach affected some 18 million current and former federal workers. The complaint alleges, among other things, that OPM’s failure to comply with the Federal Information Security Management Act and to heed the warnings in the OPM Office of Inspector General’s 2014 audit report violated the Privacy Act’s requirement to safeguard personally identifiable information (PII) and its prohibition against unauthorized disclosure of PII.
Harvard University Hit by Cyberattack
Eight Harvard University colleges were affected by a breach of two of Harvard University’s IT systems last month. Harvard claims that neither research nor personal data were exposed but that computer and email passwords may have been breached. An external cybersecurity firm is performing a forensic investigation on behalf of Harvard and the cyberattack is being investigated by federal law enforcement.
FTC Launches “Start with Security” Initiative
The Federal Trade Commission (FTC) launched a new initiative to guide businesses towards good data security practices, based on its experience with over 50 data security enforcement actions. The guidance and accompanying website (www.ftc.gov/datasecurity) lay out ten steps to effective data security and are designed to provide an easy way for companies to understand best practice security principles.
FCC to Start Broadband Rule-Making Process in Fall
Federal Communications Commission (FCC) Chairman Tom Wheeler announced that the agency will begin the rulemaking process this fall to clarify its broadband privacy authority. Until then, the Commission has noted that it will initially judge internet providers on “reasonable, good-faith steps” to comply with the FCC’s general privacy provisions.
NIST Finalizes Encryption Recommendations
The National Institute of Standards and Technology (NIST) revised its recommended methods for generating random encryption numbers and updated its technical specifications and guidance with regard to Smart ID cards used by federal agencies.