Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in data security this week.

Adobe Reaches Preliminary Settlement with Class Action Plaintiffs Over Breach

Adobe has asked the Court to approve a class action settlement stemming from a 2013 security breach.  The settlement requires Adobe to implement reasonable security measures with respect to intrusion detection, network segmentation, and encryption, and to submit to a security audit to ensure implementation of the measures.  Each named plaintiff in the class will also receive $5,000, and Adobe will pay $1.18M in attorneys fees and costs.
[Adobe Settlement]

New Hampshire Student Data Bill Passed

Effective August 11, 2015, the New Hampshire Department of Education will be required to maintain a data security plan to protect the personally-identifiable information of it students and teachers, which includes privacy compliance standards, privacy and security audits, a breach notification plan, and a data retention policy.

EPIC Files Request with FTC to Investigate Uber Customer Tracking

The Electronic Privacy Information Center has filed a request for investigation with the Federal Trade Commission, asking the FTC to investigate Uber’s new privacy policy seeking customers’ permission to collect geolocation and contacts data from users when the application is running in the background.  EPIC argues that this practice is not necessary for Uber to operate, and should be banned.

Continue Reading Key Privacy & Cybersecurity Developments: June 22-26, 2015

In conjunction with the 2015 American Bar Association annual State of Criminal Justice publication, Louisa Marion and I have published a new chapter on “Digital Privacy and E-Discovery in Government Investigations and Criminal Litigation.” The article provides an in-depth look at many of the current and cutting edge issues raised by digital privacy and e-discovery in this context, including the search and seizure of ESI, warrantless searches of mobile phones, warrantless use of GPS devices, cell-site tracking, electronic searches at the border, 5th Amendment considerations, post-indictment discovery, social media, and the Stored Communications Act, among others.

This chapter was published in The State of Criminal Justice 2015. © 2015 American Bar Association (Criminal Justice Section). Reproduced with permission.

Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in data security this week.

Privacy Advocates Quit Facial Recognition Talks with NTIA

After 16 months of working with with the National Telecommunications & Information Administration, nine privacy and consumer groups withdrew from discussions regarding the creation of a voluntary code of conduct for companies using facial recognition technology.  The groups were unable to reach a consensus with the NTIA over the level of consumer approval that should be required for the use of facial recognition technology.
[Talks with NTIA]

LastPass Data Breach

Password management company LastPass revealed on June 15th that unauthorized users hacked into its system and accessed users’ email addresses, password reminders, and other authentication information.  LastPass has assured users that data vaults were not exposed.
[LastPass]

LinkedIn Settles Proposed Email Harvesting Class Action for $13M

LinkedIn agreed to pay $13M to settle a proposed class action suit alleging that the company accessed users’ email contacts without permission to send out LinkedIn invitations.  LinkedIn also agreed to change its disclosure language related to email account access and invitations to connections.
[LinkedIn]

Continue Reading Key Privacy & Cybersecurity Developments: June 15-19, 2015

On June 15, 2015, Justice Ministers in the Council reached agreement on a general approach concerning the General Data Protection Regulation (GDPR). This allows the Council to start negotiations with the European Parliament (which formally adopted its compromise text for the GDPR in March 2014) with a view to reaching overall agreement on the GDPR.

The first so-called trilogue meeting with the Parliament is planned for 24 June 2015. The incoming Luxembourg Presidency has expressed the firm intention to adopt the GDPR by the end of this year. The new GDPR will set forth a new set of rules, valid across the EU and applicable both to European and non-European companies offering their goods and services to data subjects in the EU.

According to the text of the Council, European data protection authorities may impose administrative fines of up to 1,000,000 EUR or, in case of an undertaking, 2 percent of its total worldwide annual turnover of the preceding financial year, on a data controller or processor who, intentionally or negligently, commits certain breaches of the new rules.

The press release of the Council and the full text of the general approach can be found at http://www.consilium.europa.eu/en/press/press-releases/2015/06/15-jha-data-protection/

Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector. This digest summarizes the most notable events in data security this week.

Seven California Privacy Bills to Watch 

Law360 has compiled a summary of seven privacy bills introduced in California this year that, if enacted, may have a significant impact on the privacy landscape.
[Law360]

Insurance Company has no Duty to Defend Data Breach

Connecticut Supreme Court held that an insurer had no duty to defend its insured in litigation arising from a data breach involving the lost computer tapes containing personal information. The breach was not considered a “personal injury” as defined by the policy, because there was no “publication” of the information on the tapes.
[PrivaWorks.com]

Continue Reading Key Privacy and Cybersecurity Developments: June 8-12, 2015

The European Commission introduced the draft General Data Protection Regulation (GDPR) in January 2012. The GDPR seeks to harmonize legislation across the EU member states, replacing the 1995 EU Directive and the varying national laws that have implemented this Directive.

The European Parliament formally adopted its compromise text for the proposed GDPR back in March 2014. The Council of Ministers is expected to adopt its general approach to the Regulation during its June 15/16 meetings in Luxembourg. If it does so, the first meeting for the so-called “trilogue” negotiations between the Commission, the Parliament and the Council with a view to agreeing on a final text for the GDPR is scheduled for June 24. It is expected that, if all goes well, these negotiations will continue until the end of the year. Even after that, the new rules will only become effective two years later — so at the earliest by the end of 2017.

As so many stakeholders have been negotiating the draft GDPR for more than three years now, various components of the draft have found a way to reach a larger audience, notably national decision makers.

That is also why, although we may have to wait for quite some time before new EU rules become effective, we are increasingly seeing national legislators introduce the new concepts and obligations themselves, without waiting for the GDPR. This trend is also driven by recent events such as the Snowden revelations and the issues around the Facebook social plug-ins.

Continue Reading Data Breaches and Data Protection Enforcement: Netherlands and Belgium Not Waiting for New Data Protection Regulation

The ever-increasing frequency of cyber incidents has caused companies to recognize the need for cyberinsurance policies in addition to more traditional types of coverage.  A recent case, Columbia Casualty Company v. Cottage Health System, No. 2:15-cv-03432, suggests that even coverage under these stand-alone cyberinsurance policies may have limits.
Earlier this month, Columbia Casualty Company (“Columbia”) filed an action in the U.S. District Court for the Central District of California, seeking a declaration that it is not obligated to provide coverage to Cottage Health System (“Cottage”) in connection with a data breach that resulted in the release of private healthcare patient information stored on Cottage’s network servers.  In a case of first impression, the district court has been asked to decide the scope of coverage provided by the stand-alone “NetProtect360” cyberinsurance policy issued by Columbia to Cottage. Continue Reading California District Court Called Upon to Determine Scope of Coverage Provided by Stand-Alone Cyberinsurance Policy

With Memorial Day unofficially kicking off summer, those keeping up on recent changes to state data breach laws are eyeing their calendars, as a series of state amendments are due to come into effect.  Beginning on July 1, both Nevada and Wyoming will expand their definitions of personal information.  One month later on August 1, North Dakota will follow suit, slightly limiting its definition of personal information but expanding its reporting duties.  Key takeaways from the state amendments are detailed below.

The states’ legislative actions will likely up the ante at a time when Congress is considering a national data breach notification standard.  The recent flurry of activity reflects the states’ growing interest in how data breaches affect their residents.  Even in the face of national legislation, that interest is unlikely to subside. Continue Reading Three State Data Breach Laws Set to Change This Summer

In an open letter to President Obama, 143 of the nation’s most well-known businesses, trade associations, academics, and organizations urged the President to promote strong encryption technologies. The letter was prompted by recent law enforcement (including the FBI and NSA) advocacy for built-in government access to encrypted data despite a December 2013 recommendation by the President’s Review Group on Intelligence and Communications Technologies to support encryption without such vulnerabilities.

As the letter states, strong encryption helps protect individuals and organizations from street criminals pilfering information from stolen devices; computer criminals from defrauding individuals to steal their identities; corporate spies from stealing trade secrets; repressive governments from stifling dissent; and foreign intelligence agencies from stealing national security secrets. The letter argues that any attempt to provide law enforcement with an encryption key leaves individuals and companies vulnerable to such bad actors.

Continue Reading Technology Coalition tells the President: Encryption Back Doors are a Bad Idea

One year ago, data broker Spokeo, Inc. asked the Supreme Court to reconsider the Ninth Circuit’s revival of a putative class action against it for willfully violating the Fair Credit Reporting Act (“FCRA”) by publishing personal information without notice.  This week, the Court heeded that request, granting certiorari.  In doing so, it has paved the way for yet another decision by the highest court on how the issue of standing plays out in the context of privacy violations.

Plaintiff Thomas Robins sued Spokeo under the FCRA after the data broker allegedly published false information about him without his knowledge.  Interestingly, Robins claims that the information falsely stated that he had more education than he actually did and that he was in a better financial position than he actually was.  But according to Robins’s complaint, these false facts made it more difficult for him to find employment, credit, or insurance and thus caused actual harm.  He seeks to represent a class of individuals whose personal information has been similarly misstated.  Continue Reading Supreme Court to Consider Congressionally-Conferred Privacy Breach Standing