EU-US Privacy Shield Principles Released; No Insurance Coverage for Data Breach, New York Court Holds; CFPB Levies First Data Security Fine; New York Court Sides with Apple in 4th Amendment War; “I confirm that I am over 13 years old” Checkbox Ruled Not an Effective Age-Screener

EU-US Privacy Shield Principles Released

After years of negotiations that intensified after the U.S.-EU Safe Harbor program was invalidated late last year, the U.S. Department of Commerce (DOC) and the European Commission (EC) reached an agreement to replace Safe Harbor, called the EU-U.S. Privacy Shield. On February 29, the DOC formally published this agreement.  The EC also published the draft adequacy decision for the new framework.  This formal agreement largely tracks the priorities discussed in a press release issued earlier in February and will allow companies to plan for lawful data transmissions across the Atlantic. For more information about the differences between the previous framework (U.S.-EU Safe Harbor) and the new one, please join us on March 9 at Crowell & Moring in Washington, D.C. for a seminar on the EU-U.S. Privacy Shield and the forthcoming EU Data Protection Regulation (GDPR).

No Insurance Coverage for Data Breach, New York Court Holds

The New York Appellate Court for the Third Division upheld the trial court’s decision to deny insurance coverage for RVST Holdings (RVST), which operate fast food restaurants in the New York area. Trustco Bank, in another action, filed suit against RVST for failing to secure their customers’ credit card information after third parties obtained the credit card numbers from RVST’s network and made fraudulent charges.  RVST, in turn, filed suit against Main Street Assurance Company, its business insurance provider, seeking coverage.  This coverage was denied.

On appeal, the New York court affirmed the trial court’s grant of summary judgment on behalf of the insurance company. RVST’s coverage under the policy explicitly excluded damages “arising out of the loss of electronic data” and specially limited coverage for defense of claims related to “direct physical loss of or damage to” RVST’s own property.  Thus, the court held that defense coverage was limited to first party property damage, i.e. damage to RVST’s property, not the credit card numbers which belonged to a third party.  The case serves as a stark reminder of the limits of traditional insurance coverage for data breaches.  Indeed, there is often no substitute for cyber-insurance, as Rachel Raphael and Ellen Farrell discussed in a recent Law360 article.=

CFPB Levies First Data Security Fine

Making its first foray into the federal regulation of data security, the Consumer Financial Protection Bureau (CFPB) issued its first data security fine against Dwolla, Inc., an online payment systems company. According to the no-fault consent order, Dwolla deceived customers about the nature of its data security practices and safety of its online systems. The company claimed that its data security practices “exceed(ed) industry standards and surpassed industry security standards.”

However, according to the CFPB, Dwolla did not “encrypt some sensitive consumer data” or use “reasonable and appropriate” means to protect consumer data. This action demonstrates the importance for companies seeking to advertise their data security practices to carefully review their public-facing statements and examine whether they can be supported.  For example, companies seeking to advertise that they “exceed industry standards” will want to document an examination of those standards and a process for measuring compliance with them.

New York Court Sides with Apple in 4th Amendment War

In the next chapter in the evolving stand-off between Apple and the FBI, a New York Court refused to issue an order under the All Writs Act requiring Apple to unlock the phone of an accused drug dealer. Although not an exact parallel to the current stand-off between the FBI and Apple over whether Apple should be required to create a device to unlock the phone of the San Bernadino shooter, the scathing opinion from Judge Orenstein signals the start of a divide among the courts.  Further, this battle highlights the contradictory enforcement agenda technology companies faces, as consumer protection agencies encourage encryption while law enforcement command decryption.

CARU Finds “I confirm that I am over 13 years old” Checkbox is Not an Effective Age-Screener

The Children’s Advertising Review Unit (CARU), an arm of the National Advertising Review Council (NARC), a self-regulatory body that reviews advertising, claimed a children’s online fan club failed to comply with the Children’s Online Privacy Protection Act (COPPA). The fan club website,, required that children enter personal information to sign-up for the fan club and e-newsletter, triggering COPPA’s restrictions on obtaining personal information from children.

Although DorkDiaries used an age verification and parental notice system, as required under the law, CARU found that these fell short. Specifically, DorkDiaries’ parental notice e-mail to not reach parents in a timely fashion and its age verification system was inadequate.  Before signing up for fan-club or newsletter, children were only required to check a box that stated “I confirm that I am over 13 years old.”  This, according to CARU, falls short of the required “neutral age screening.”  To satisfy this requirement, the Federal Trade Commission, which enforces COPPA, recommends a data entry point that requires users to enter their age accurately, such as a neutral screen where users can enter the month, date, and year of their birth.