“Browsing and location data are sensitive . . .. Full stop,” says the Federal Trade Commission. As is all granular data that can reveal “insights” that “can be attributed to particular people” through a “re-identification” procedure. This is one basis of complaints the FTC filed against Avast, X-Mode Social, and InMarket. A March 4, 2024 FTC blog post titled FTC Cracks Down on Mass Data Collectors: A Closer Look at Avast, X-Mode, and InMarket describes why these three companies’ collection of consumers’ browsing and location data raised concerns for the agency, and looks at two other data governance practices by those companies that also concerned the agency. All companies operating in the United States that collect and use consumer data should understand the themes emerging from the proposed settlements and orders and heed the admonitions from the agency moving forward.Continue Reading “Browsing and location data are sensitive . . .. Full stop”
Data Security
Catch Up Fast: The “Data Days” of Summer in China
The summer has been anything but slow in the People’s Republic of China. China is leaning into its regulation of emerging technologies, while attempting to strike a balance with its domestic economic priorities. In just the past few weeks, state authorities have issued a slew of draft measures and announced new initiatives – all with significant ramifications for businesses processing data within the PRC. From personal information processing to facial recognition to cross-border data transfers, what follows is a highlight reel of what you may have missed while you were away on vacation, with the comment period for many of these developments closing within the next few weeks.Continue Reading Catch Up Fast: The “Data Days” of Summer in China
No More “Wait & See” for CMMC: DoD Releases Final Cybersecurity Maturity Model Certification
The Department of Defense (DoD) has released Version 1.0 of the Cybersecurity Maturity Model Certification (CMMC), Appendices A-F, and an Overview Briefing. While Version 1.0 largely mirrors the draft Version 0.7, the final version includes notable revisions. Please click here to see the full client alert.
Law Firm Data Security Seminar
Please join us for a seminar on December 5 in Washington, D.C. or December 6 in New York City on “Law Firm Data Security”. Our very own Partner Evan Wolff will be presenting alongside RSA’s Doug Howard and Niloofar Howe. Our panelists will cover all sorts of critical issues such as:
- How to defend high-demand
…
CFAA Conviction for Accessing and Damaging Former Employer’s Computer System
Last week, a federal court sentenced a former systems administrator convicted of accessing his former employer’s computer network and uploading malicious code designed to disrupt and damage the company’s manufacturing operations.
Brian P. Johnson worked for years as an information technology specialist and systems administrator at Georgia-Pacific’s Port Hudson, LA facility. In February 2014, Georgia-Pacific…
Privacy & Cybersecurity Weekly News Update – Week of August 28
Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group; ICO publishes report on data security incident trends.
Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group
On September 01, 2016, the German Data Protection Authority of Bavaria (BayLDA) has announced that according to their understanding, sanctions under the GDPR will be calculated based on the revenue of a whole company group. According to the authority, this should apply even when only one single entity is responsible for an incident.
In its position paper, the BayLDA elaborates that fines under the GDPR have to be “effective, proportionate, and dissuasive.” For most infringements, the fine can amount up to a maximum of either € 10 million, or 2% of the company’s annual global turnover (the higher will apply). For serious infringements, the fine can even amount up to the higher of € 20 Million or 4% of the respective turnover. The turnover will comprise of the turnover of the whole company group a company belongs to, according to recital 150 of the preamble, which relates to the “economic concept of an undertaking”.
Although the BayLDA’s position paper is non-binding, the interpretations and views published can nevertheless be considered very important hints on how in particular the German Data Protection authorities will interpret and enforce the new Regulation, which will enter into force on 25 May 2018. The European Data Protection Board, a group of representatives of the EU Member States (currently known as Article 29 Working Party), is expected to issue guidelines on the calculation of fines.Continue Reading Privacy & Cybersecurity Weekly News Update – Week of August 28
Privacy & Cybersecurity Weekly News Update- Week of July 9
“Pokémon Go” Developer feels the heat over data collection; 2nd Circuit Ruling limits government’s access to data stored overseas; 9th Circuit CFAA Ruling increases Facebook’s control over its Users’ Data; Dutch Study reveals tension between EU Trade Deals and Data Protection
“Pokémon Go” Developer in Hot Water over Extensive Data Collection Practices
In early July, mobile game developer Niantic released “Pokémon Go,” a free-to-download “augmented reality” game for Android and iOS devices. In less than a week, the game had been downloaded by more than 15 million unique users, making the game’s launch one of the most widely-adopted in history. Privacy advocates soon raised serious questions about the game and its accompanying privacy policy, which until July 12 granted full access to users’ Google account data unless users opted-out of such permissions—prompting Niantic to issue its first update resolving the permissions issue.
On July 12, Senator Al Franken (D-MN) sent a letter to Niantic CEO John Hanke demanding the company explain in detail the types of data Niantic collects from players, why that data “in necessary for the provision or improvement of services,” and how the company plans to use the data gathered. Franken’s letter also questioned the company’s opt-out data collection practices, suggesting that “Niantic consider making this collection/access opt-in.” Franken, who serves as the Ranking Member on the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law, has in the past spoken out against similar practices by other mobile app developers, including Uber and Lyft. Mr. Hanke has until August 12 to respond to Sen. Franken’s questions.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of July 9
Privacy & Cybersecurity Weekly News Update- Week of July 3
Article 31 Committee approves Privacy Shield; House Cuts FCC Funding Over Attempted Broadband Privacy Regulations; No Charges for Clinton in Data Security Probe; European Commission launches public-privacy partnership on cybersecurity; European Parliament adopts NIS Directive; Privacy Code of Conduct for mHealth app providers finalized; French parliament about to make French Privacy act more severe; Russia introduces new data retention obligations.
Article 31 Committee approves Privacy Shield
On July 8, 2016, the Article 31 Committee has finally given its support for the adoption of the “EU-U.S. Privacy Shield”, the new framework for cross-Atlantic data transfers.
For more details, please see our latest client alert here.
House Defunds FCC’s Data Privacy Efforts for Broadband Providers
On July 7, the House of Representatives voted to cut off funding for the FCC’s proposed privacy regulations of broadband service providers. The measure, attached as an amendment to the 2017 Financial Services and General Government Appropriations Bill, cut the FCC’s funding by more than 17%. Calling the FCC’s proposed rules “extreme,” Rep. Marsha Blackburn (R-TN), the amendment’s author, claimed the measure was necessary to reassert the Federal Trade Commission’s status as the go-to federal data privacy regulator. The FCC, Rep. Blackburn asserted, “simply doesn’t have the requisite technical expertise to regulate privacy.”
The proposed regulations, which the FCC announced in March 2016, would require ISPs to disclose how data regarding customers’ online activities could be collected and recorded. These proposed rules represented the FCC’s first major attempt to regulate broadband providers in the aftermath of the agency’s February 2015 decision to treat broadband as a public utility. Several broadband providers had expressed public reservations about the FCC’s proposed rulemaking and actively lobbied legislators to act. The bill, which passed in a 239-185 vote, next heads to the Senate for consideration.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of July 3
Privacy & Cybersecurity Weekly News Update- Week of June 26
Adoption of Privacy Shield expected in early July; Federal Court limits VPPA liability; Belgian Court overturns Facebook fine; FTC robocall crackdown; A rare HIPAA criminal conviction; UK’s ICO fines Brexit campaigners for mass text messages; House report calls for national encryption commission.
European Commission expects adoption of Privacy Shield for beginning of July
European officials are hoping to finally formalize the “EU-U.S. Privacy Shield”, the cross-Atlantic data transfer pact aiming at replacing the formerly invalidated “U.S.-EU Safe Harbor” Framework, on July 5. The initial draft agreement has been amended to include new explanations of U.S. governmental entities and further limitations on the bulk collection of data and mass surveillance. The European Commission is now confident that also the Article 31 Committee will give its approval to the draft framework.
Many European Privacy regulators and EU bodies, such as the European Parliament and the European Data Protection Supervisor, had argued that the initial draft did not sufficiently protect the fundamental rights of European data subjects. The revised version now “only” allows bulk collection “exceptionally”, where targeted collection is “not feasible”, although it remains open how ‘feasibility’ should be determined.Continue Reading Privacy & Cybersecurity Weekly News Update- Week of June 26
Arizona District Court Determines Scope of Coverage Provided by Cyberinsurance Policy
On May 26, 2016, in the case of P.F. Chang’s v. Federal Insurance Co., the U.S. District Court for the District of Arizona held that a stand-alone cyber insurance policy did not cover fees assessed by a third party credit card processing company against P.F. Chang’s following a June 2014 data breach. This decision is notable because it is one of the first involving the scope of coverage under a stand-alone cyber insurance policy. Furthermore, since hiring a credit card processing company is a common practice among restaurants and retailers, if and when a data breach occurs, policyholders that use these third party companies may encounter similar fees.
At the core of this dispute was P.F. Chang’s decision to hire a third-party company to process credit card payments instead of dealing directly with credit card associations. After the 2014 data breach, in which computer hackers obtained and posed to the Internet about 60,000 credit card numbers belonging to P.F. Chang’s customers, the credit card associations imposed fees on the third-party processing company, Bank of America Merchant Services (“BAMS”). BAMS then passed these fees on to P.F. Chang’s pursuant to the service contract.
Federal Insurance Company (“Federal Insurance”) had sold a CyberSecurity by Chubb Policy (the “Cyber Policy”) to P.F. Chang’s corporate parent, Wok Holdco LLC, which was in effect from January 1, 2014 to January 1, 2015. After learning of the data breach, P.F. Chang’s tendered its claim to Federal Insurance. Federal Insurance reimbursed P.F. Chang’s for over $1.7 million in costs incurred as a result of the data breach, including a forensic investigation and a third-party lawsuit. However, Federal Insurance refused to reimburse P.F. Chang’s for fees assessed by BAMS in connection with the data breach, and P.F. Chang’s filed suit.Continue Reading Arizona District Court Determines Scope of Coverage Provided by Cyberinsurance Policy