DoD Issues Year-End DFARS Changes; Russians Now Have the “Right to Be Forgotten”; No Injury in Michael’s Data Breach Suit; FAA Issues Interim Final UAS Rule; New Penalties for Distributing Unique Medical Identifiers

Holiday Gift from Defense Department: More Time to Comply with DFARS Safeguarding Rule

Last Wednesday, the Department of Defense issued an interim rule making several changes to the Defense Federal Acquisition Regulation Supplement (DFARS), including extending the deadline for government contractors to comply with data protection requirements in DFARS 252.204-7012.  Even though the Department extended the compliance window, contractors still face an obligation to inform DoD if their security programs do not yet fully comply with the regulation.  For more information, or to seek assistance in meeting these changes, affected contractors can refer to the Crowell & Moring Alert on this topic, or contact the attorneys listed therein.

Search Engines in Russia Now Subject to “Right to Be Forgotten” Requests

On January 1, a Russian law went into effect requiring search engines operating in Russia to delist websites containing “false” or “obsolete” personal information upon that person’s request.  Search engines need not remove certain information, such as criminal convictions or the salaries of public employees.  Russia’s protections mimic those of the European Union, where the European Court of Justice upheld this right in 2014.  Web companies operating in Russia and offering information aggregation services—companies that could be fined up to one million rubles ($13,000) per occurrence for their non-compliance with this measure—should take note of this development.

Court Finds Plaintiffs in Suit Against Michael’s Craft Stores Lacked Injury

This week, Judge Joanna Seybert in the Eastern District of New York dismissed a suit against Michael’s Stores filed after a data breach impacted credit information for more than 2.6 million customers.  Relying on the oft-cited Clapper standard for Article III standing, Judge Seybert held the plaintiff had not pled the requisite injury to sustain the claim, failing to meet the Supreme Court’s requirement that her injuries were “certainly impending” or “based on a substantial risk that harm will occur.”  Notably, the court pointed out that the plaintiff’s credit card company has a “zero-fraud-liability” policy – mooting any potential injuries.  And, unlike the plaintiffs in other cases in which standing has been upheld, the plaintiff had failed to allege any out-of-pocket losses stemming from the breach.

FAA Issues Interim Final Rule on Drone Registration

Effective just before Christmas 2015, the FAA issued registration requirements for small unmanned aerial systems (sUAS) devices weighing between 0.55 and 55 pounds.  UAS operators for devices weighing more than 55 pounds cannot use this streamlined registration process, but must instead complete the FAA’s Aircraft Registry process.  This move, of interest to firms contemplating the use of UAS for commercial operations, firms manufacturing UAS, and recreational UAS users alike, follows a holiday season during which the FAA projected one million UAS would be sold in the United States.  Those who do not register could face both civil and criminal penalties.

President Signs Law Increasing Penalties for Distribution of Unique Health Identifiers

On Monday, December 28, President Obama signed Senate Bill 2425, the so-called “Patient Access and Medicare Protection Act.”  Among its provisions, the bill increased the penalties (to $500,000 for an individual offender or $1 million for a corporate offender) for knowingly distributing unique health identifying information.  Of note, this new law for the first time added criminal sanctions (up to 10 years in prison) for individuals convicted of purchasing, selling, or distributing this type of confidential personal information.