On Wednesday, in one of the most high-profile data breach settlements to date, The Home Depot agreed to pay $25 million to settle a consolidated class action involving more than 60 nationwide financial institutions harmed by the retailer’s September 2014 data breach. That month, the home improvement giant announced that hackers had installed malware on
Russians Hack Clinton Campaign System; FTC: LabMD Liable in Data Security Suit; EU Member States issue statement on Privacy Shield; NIS Directive published – Implementation into national law by May 2018; EU Data Protection Supervisor: e-Privacy directive should meet GDPR-requirements.
Clinton Campaign Data Breach brings data security into 2016 campaign yet again
On July 29, an F.B.I. official told the New York Times that computer systems used by the Clinton presidential campaign were hacked in the latest in a string of cybersecurity attacks targeting political entities. The Times noted the attacks appeared to have been carried out by the Russian intelligence services. These revelations follow news of similar attacks carried out earlier in the summer, including a Russian government hack of the Democratic National Committee’s computer network. Investigations into both attacks are ongoing.
FTC Reasserts Data Security Enforcement Powers in suit against LabMD
Late last week, the FTC issued its long-awaited final order in its investigation of LabMD’s alleged unfair data security practices. FTC filed charges against LabMD, a clinical laboratory used by physicians, for allegedly failing to protect sensitive personal information for over 750,000 patients. An ALJ had earlier dismissed FTC’s charges, holding that LabMD’s data security practices failed to cause substantial consumer injury. The Commission unanimously reversed that decision.
FTC claimed that LabMD “lack[ed] even basic precautions to protect . . . sensitive consumer information maintained on its computer system. Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.” Firms collecting personal information should note that future FTC enforcement is likely to note the absence of any of these systems as evidence of sub-par data security practices.
This suit follows the FTC’s 2014 victory in the Wyndham case, which validated the FTC’s authority to regulate data security. For more information on the Wyndham decision, see the Crowell Data Law blog post on the subject.
DOJ Proposes Workaround to Microsoft Ruling; United States Joins Irish Facebook Case; St. Louis Cardinals Scouting Director Sentenced to 46 Months; EU’s Advocate General Okays National Data Retention Laws; Data Protection Authority of Hamburg Becomes “Completely Independent”; 9th Circuit Suggests Password Sharing is a Federal Crime
DOJ Seeks Legislative Circumvention of 2nd Circuit’s Microsoft Ruling
Late last week, Assistant Attorney General Peter Kadzik sent a letter to Vice President Biden (in his role as presiding officer of the U.S. Senate) asking Congress to amend the Electronic Communications Privacy Act (ECPA) to permit government warrants to reach data stored overseas. This letter was written in response to the Second Circuit’s ruling earlier this month in Microsoft v. U.S., in which the Second Circuit ruled that ECPA’s data seizure provisions did not apply extraterritorially and in which Judge Lynch, in concurrence, called for congressional intervention. For more information about the Microsoft ruling, please see the Crowell & Moring “Data Law Insights” blog post detailing the court’s decision.
ECPA reform, General Kadzik’s letter argued, will resolve cross-border data access issues for both domestic and foreign governments investigating criminal activity, including terrorism. The proposal seeks to change U.S. law to “authorize law enforcement to obtain electronic data located abroad.” Admonishing the Second Circuit’s decision, General Kadzik noted the “significant public safety implications of the Microsoft decision.”
“Pokémon Go” Developer feels the heat over data collection; 2nd Circuit Ruling limits government’s access to data stored overseas; 9th Circuit CFAA Ruling increases Facebook’s control over its Users’ Data; Dutch Study reveals tension between EU Trade Deals and Data Protection
“Pokémon Go” Developer in Hot Water over Extensive Data Collection Practices
On July 12, Senator Al Franken (D-MN) sent a letter to Niantic CEO John Hanke demanding the company explain in detail the types of data Niantic collects from players, why that data “in necessary for the provision or improvement of services,” and how the company plans to use the data gathered. Franken’s letter also questioned the company’s opt-out data collection practices, suggesting that “Niantic consider making this collection/access opt-in.” Franken, who serves as the Ranking Member on the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law, has in the past spoken out against similar practices by other mobile app developers, including Uber and Lyft. Mr. Hanke has until August 12 to respond to Sen. Franken’s questions.
The Second Circuit today issued a much-anticipated ruling holding that U.S. firms are not required to turn over user data stored overseas, even in the face of a government warrant. This decision arose from Microsoft’s December 2014 appeal of a civil contempt ruling against the tech giant for refusing to turn over the personal data …
Article 31 Committee approves Privacy Shield; House Cuts FCC Funding Over Attempted Broadband Privacy Regulations; No Charges for Clinton in Data Security Probe; European Commission launches public-privacy partnership on cybersecurity; European Parliament adopts NIS Directive; Privacy Code of Conduct for mHealth app providers finalized; French parliament about to make French Privacy act more severe; Russia introduces new data retention obligations.
Article 31 Committee approves Privacy Shield
On July 8, 2016, the Article 31 Committee has finally given its support for the adoption of the “EU-U.S. Privacy Shield”, the new framework for cross-Atlantic data transfers.
For more details, please see our latest client alert here.
House Defunds FCC’s Data Privacy Efforts for Broadband Providers
On July 7, the House of Representatives voted to cut off funding for the FCC’s proposed privacy regulations of broadband service providers. The measure, attached as an amendment to the 2017 Financial Services and General Government Appropriations Bill, cut the FCC’s funding by more than 17%. Calling the FCC’s proposed rules “extreme,” Rep. Marsha Blackburn (R-TN), the amendment’s author, claimed the measure was necessary to reassert the Federal Trade Commission’s status as the go-to federal data privacy regulator. The FCC, Rep. Blackburn asserted, “simply doesn’t have the requisite technical expertise to regulate privacy.”
The proposed regulations, which the FCC announced in March 2016, would require ISPs to disclose how data regarding customers’ online activities could be collected and recorded. These proposed rules represented the FCC’s first major attempt to regulate broadband providers in the aftermath of the agency’s February 2015 decision to treat broadband as a public utility. Several broadband providers had expressed public reservations about the FCC’s proposed rulemaking and actively lobbied legislators to act. The bill, which passed in a 239-185 vote, next heads to the Senate for consideration.
The Panama Papers Leak – An overview on histories’ biggest data leak; Article 29 Working Party about to release opinion on EU-U.S. Privacy Shield; EU: GDPR and PCJ DPD about to be approved next week – final consolidated text published by Council; US: New HIPAA Audit Protocol Released as a Guidance Tool for phase two of Compliance Audits; U.S. Sneak News: Defend Trade Secrets Act, NPRM and Sony Settlement Approval. EU: GDPR, PCJ DPD and PNR Directive adoped by Parliament; U.S.: House Judiciary Committee approves E-Mail Privacy Act; Senate to require airlines to report cyberattacks; FTC issues online tool identifying applicable law for health apps; Global: Turkey releases first comprehensive Data Protection law; Connected cars found vulnerable for cyberattacks; Data Breaches May Waive Attorney-Client Privilege?; Encryption Continues to Dominate Privacy Headlines; Hospital Settles with HHS for $ 2.2 Million in HIPAA Action; Southern District of New York Adds Ransomware Conspirator to Hacking Case; European and Canadian Data Protection Authorities Investigate IoT Devices; Norway Requires Data Breach Notification for Individuals
The Panama Papers Leak – An overview on histories’ biggest data leak
On April 3, 2016, reports revealed that a set of 11.5 million confidential documents (“the Panama Papers”), providing detailed information about more than 200,000 offshore companies connected to Panamanian legal service provider Mossack Fonseca, had been made available to German Daily Newspaper Süddeutsche Zeitung by an anonymous source in 2015.
The documents, which form part of the biggest data leak in history, reveal aspects on (potential) exploitations of offshore tax regimes and other illegal purposes, such as fraud or drug trafficking. Among the people concerned are not only big companies, but also twelve national leaders among 143 politicians, celebrities, government officials or other law firms. The Süddeutsche Zeitung, given the scope of the leak, involved the International Consortium of Investigative Journalists (ICIJ) and about 400 other journalists in 76 different countries to investigate and analyze the documents. ICIJ has promised to publish a full list of companies involved in early May 2016.
Mossack Fonseca, the leaked firm, defended its commercial conduct, stating that itself would always comply with applicable laws and carry out thorough due diligence on its clients. However, the leak will have a huge impact on the offshore business, as the biggest selling point of this business, secrecy, has been massively cracked.
DoD Issues Year-End DFARS Changes; Russians Now Have the “Right to Be Forgotten”; No Injury in Michael’s Data Breach Suit; FAA Issues Interim Final UAS Rule; New Penalties for Distributing Unique Medical Identifiers
Holiday Gift from Defense Department: More Time to Comply with DFARS Safeguarding Rule
Last Wednesday, the Department of Defense issued an interim rule making several changes to the Defense Federal Acquisition Regulation Supplement (DFARS), including extending the deadline for government contractors to comply with data protection requirements in DFARS 252.204-7012. Even though the Department extended the compliance window, contractors still face an obligation to inform DoD if their security programs do not yet fully comply with the regulation. For more information, or to seek assistance in meeting these changes, affected contractors can refer to the Crowell & Moring Alert on this topic, or contact the attorneys listed therein.
Search Engines in Russia Now Subject to “Right to Be Forgotten” Requests
On January 1, a Russian law went into effect requiring search engines operating in Russia to delist websites containing “false” or “obsolete” personal information upon that person’s request. Search engines need not remove certain information, such as criminal convictions or the salaries of public employees. Russia’s protections mimic those of the European Union, where the European Court of Justice upheld this right in 2014. Web companies operating in Russia and offering information aggregation services—companies that could be fined up to one million rubles ($13,000) per occurrence for their non-compliance with this measure—should take note of this development.
FTC Settles False Ad Claim with LifeLock for $100M; CISA Signed into Law; University of Washington Settles HIPAA Claims Arising from 2013 Data Breach; Senators Urge White House to Search Social Media Profiles During Visa Background Checks; FTC Announces COPPA Settlements with App Developers; Cybersecurity Enters the 2016 Presidential Race.
FTC Announces Staggering Sum in Settlement with LifeLock
The FTC announced Thursday that identity protection firm LifeLock would pay $100 million to settle allegations that it violated a 2010 federal court order requiring the firm to secure its customers’ personal data – the largest settlement ever reached by the FTC under an order enforcement action. The FTC alleged that LifeLock failed to maintain an adequate information security program and that the firm misled its customers into believing that LifeLock provided security protections tantamount to those offered by financial institutions.
Cybersecurity Bill Signed into Law
On Friday morning, Congress passed a sizeable omnibus spending bill with several policy riders, including the Cybersecurity Information Sharing Act of 2015 (“CISA”). Under CISA, any “non-federal entity” can now share information with federal government agencies “notwithstanding any other provision of law.” CISA also calls for information sharing portals whereby companies can send information to federal law enforcement authorities, and provides liability protections to those entities who voluntarily share cyber threat indicators or defensive measures with the government. President Obama signed the $1.8 trillion deal into law Friday evening.
Wyndham-FTC Settlement Looks to PCI; Target Consumer Appeals Settlement; Leaders Propose Encryption Commission; Ashley Madison MDL in St. Louis; FTC Commissioner Warns of FCC ISP Overreach; Moms Sue Over Doll’s IoT Capability
Wyndham to Implement PCI-Focused Information Security Program in Settlement with FTC
On Wednesday, the FTC and Wyndham settled a long-standing dispute regarding the hospitality company’s alleged “unfair and deceptive” data security practices, a suit that confirmed the FTC’s authority to regulate in the space. Wyndham agreed to establish a comprehensive information security program designed to protect payment cardholder data and to conduct regular structural audits of its information security systems – taking cues from the Payment Card Industry Data Security Standard.
Target Consumer Appeals $10M Data Breach Settlement
Californian James Sciaroni has appealed the $10 million consumer class action settlement approved in November by Judge Paul Magnuson. When Sciaroni objected to the settlement in July, he argued that it “does not adequately compensate the class,” totaling only about 9 cents per class member in compensatory damages, in addition to the information security standards Target accepted.