The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Consumer Privacy

  • From Vol. 4 No.24 (Aug. 8, 2018)

    A Fund Manager’s Roadmap to Big Data: Its Acquisition and Proper Use (Part One of Three)

    Given the potential predictive value of raw data, spending on big data continues to increase and is largely focused on third-party vendors. The goal is to leverage the data not only to generate alpha, but to respond to new regulatory requirements, reduce costs and assist with other operational and managerial functions. But how can fund managers successfully and economically achieve these aims? This article, the first in a three-part series, explores the big-data landscape and how fund managers can acquire and use big data. The second article will analyze issues and best practices surrounding the acquisition of material nonpublic information; web-scraping; and the quality and testability of data. The third article will discuss risks associated with data privacy, the acquisition of data from third parties and the use of drones, as well as ways fund managers can mitigate those risks. See “Tips and Warnings for Fund Managers When Navigating the Big Data Minefield” (Sep. 13, 2017).

    Read Full Article …
  • From Vol. 4 No.24 (Aug. 8, 2018)

    Essential Cyber, Tech and Privacy M&A Due Diligence Considerations

    Evolving threats, regulatory focus and innovation require every transaction to now include some technology, privacy and cybersecurity due diligence. A target’s problems in these areas can manifest themselves in painful ways, whereas a robust infrastructure can dramatically improve value. This article covers a recent ACA Aponix program that detailed key issues to consider when reviewing cybersecurity, information technology and regulatory compliance at target and portfolio companies. See also “Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.23 (Aug. 1, 2018)

    Staying Current With Geolocation Restrictions

    As geolocation technology advances, so do state, federal and international laws regulating it. The Cybersecurity Law Report spoke with ZwillGen attorneys Melissa Maalouf and Anna Hsia about keeping up with evolving geolocation data regulations in the U.S. and beyond. Smart choices early in the process, coupled with adequate disclosures and consent, will go a long way towards a company becoming and staying compliant, they said. See also “How to Respond to Law Enforcement Demands for Geolocation Data and Data Stored Abroad” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 4 No.22 (Jul. 25, 2018)

    Implications of the Supreme Court’s Carpenter Decision on the Treatment of Cellphone Location Records

    According to the U.S. Supreme Court, historical cellphone records deserve more stringent protection than other customer information held by service providers. In Carpenter v. United States, the Court recently ruled that the collection of historical cell-site location information during a criminal investigation is subject to Fourth Amendment “search and seizure” protection and that the federal government generally needs a warrant to access such records. The decision may have been a victory for privacy advocates in theory, but what does it mean on the ground for government investigations and the companies that handle this and related data? This article analyzes the decision and its implications with insight from our experts. See also “How to Respond to Law Enforcement Demands for Geolocation Data and Data Stored Abroad” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 4 No.21 (Jul. 18, 2018)

    What to Expect From California’s Expansive Privacy Legislation

    The sweeping California Consumer Privacy Act of 2018 merits attention – it affects more companies than many realize, differs from the GDPR in important ways and may presage other similar state privacy laws. The law will most likely be amended before its January 1, 2020, implementation date, but organizations would be wise to start preparing now. We analyze the new requirements. See also “The GDPR’s Data Subject Rights and Why They Matter” (Feb. 28, 2018).

    Read Full Article …
  • From Vol. 4 No.15 (Jun. 6, 2018)

    Analyzing New and Amended State Breach Notification Laws

    With the recent adoption of statutes by Alabama and South Dakota this year, all 50 states have breach notification laws integrating notification procedures. Arizona, Colorado and Oregon have also recently revised and strengthened their existing data breach notification laws. This article details the provisions of the new statutes and amendments, with insights from McGuireWoods partner Janet P. Peyton. See “Synthesizing Breach Notification Laws in the U.S. and Across the Globe” (Mar. 2, 2016).

    Read Full Article …
  • From Vol. 4 No.14 (May 30, 2018)

    Understanding the Intersection of Law and Artificial Intelligence

    How can lawyers effectively use artificial intelligence and mitigate the myriad risks it poses? During a recent Strafford panel, Robert W. Kantner, a partner at Jones Day; Michael W. Kelly and Huu Nguyen, both partners at Squire Patton Boggs; and Dennis Garcia, an assistant general counsel at Microsoft, provided insight on how to make the most of AI. See “Using Big Data Legally and Ethically While Leveraging Its Value (Part One of Two)” (May 17, 2017) and Part Two (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.11 (May 9, 2018)

    Building a Customer Privacy Program: Lessons from Dupont’s Privacy Leaders

    With the sweeping data breaches of the last few years and the revelation that millions of Facebook users’ private information was harvested by a third party, consumer privacy is on the forefront of corporate and political minds. Companies know protecting data they collect is critical, but integrating privacy policies and practices into organizations – particularly large and complex organizations – can be challenging and costly. At IAPP’s 2018 Global Privacy Summit, Dupont’s privacy leaders shared their experience and provided advice on building a customer privacy program, such as how to start with a pilot business and automating as much as possible. See “Advice From CPOs on Nurturing Privacy Programs on Any Budget” (May 17, 2017).

    Read Full Article …
  • From Vol. 4 No.5 (Mar. 14, 2018)

    FTC Enters Into Stiff Settlement With PayPal for Venmo’s Deceptive Practices, but Eases up on a 2009 Sears Order 

    A pair of recent FTC orders demonstrate that despite aggressive action against businesses deemed to have made false or deceptive disclosures on privacy and cybersecurity matters, the Commission is also open to a more nuanced approach to disclosure and is willing to reconsider existing consent orders when circumstances change. This article analyzes (1) the recent settlement order with PayPal, whose Venmo unit misled users about the privacy of transactions and the availability of their funds and (2) the Order Reopening and Modifying a 2009 Order, which does away with a requirement that Sears make extensive disclosures on its mobile apps about how it tracks certain web browsing. See “Lessons and Trends From FTC’s 2017 Privacy and Data Security Update: Enforcement Actions (Part One of Two)” (Jan. 31, 2018).

    Read Full Article …
  • From Vol. 4 No.4 (Feb. 28, 2018)

    The GDPR’s Data Subject Rights and Why They Matter

    Privacy rights, once more obscure, are now common topics both within and beyond legal circles. The European “right to be forgotten” is at the forefront of these discussions and it raises certain questions. What are the individual “data subject” rights under the E.U. General Data Protection Regulation? And why should U.S. organizations care? In this guest article, Frankfurt Kurnit partner Tanya Forsheit reviews the GDPR’s application to U.S. organizations, explains “data subjects” and “data subject rights” under the GDPR, and addresses how requests by E.U. data subjects to exercise some of their new rights might surface here in the U.S. and impact the daily lives of corporate lawyers and customer service departments. See also “Five Months Until GDPR Enforcement: Addressing Tricky Questions and Answers” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.4 (Feb. 28, 2018)

    Financial Firms Must Supervise Their IT Providers to Avoid CFTC Enforcement Action

    The CFTC recently announced a settlement with futures firm AMP Global Clearing LLC (AMP), which had tens of thousands of client records compromised after its IT vendor unknowingly installed a backup drive on AMP’s network that included an unsecured port. The settlement order requires AMP to cease and desist from future violations, pay a civil penalty of $100,000 and report to the CFTC for the next year on its efforts to improve its digital security. “As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system,” said CFTC Director of Enforcement James McDonald. In particular, it is a reminder of the importance of monitoring third-party service providers. In this article, we analyze the case and relevant remedial steps AMP agreed to take. For more from the CFTC, see “Virtual Currencies Present Significant Risk and Opportunity, Demanding Focus From Regulators, According to CFTC Chair” (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    NY AG and HHS Flex Regulatory Muscles in Recent Protected Health Information Breach Settlements

    Recent enforcement actions against Aetna Inc. and Fresenius Medical Care Holdings, Inc. resulted in respondents agreeing to pay significant fines and to update their policies, procedure and training. These cases, brought by the Office of the Attorney General of the State of New York and the Office for Civil Rights of the U.S. Department of Health & Human Services, are an important reminder that human error is often a significant factor in data breaches and that physical security is a critical component of data privacy. In addition, the Aetna action is the most recent example of New York's active cybersecurity efforts. "New York has been on the leading edge of data security regulation. . . The Attorney General [] has been proactive," Patterson Belknap partner Craig A. Newman told The Cybersecurity Law Report. "It's fair to say that cyber is at the top of the state's regulatory agenda." We detail the breaches and settlement terms. See also “Takeaways From State AGs’ Record-Breaking Target Data Breach Settlement” (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.2 (Jan. 31, 2018)

    Biometric Data Protection Laws and Litigation Strategies (Part One of Two)

    Both the public and private sectors are increasingly using biometric identification as a security method, making it more important than ever to understand the wide range of relevant legal requirements and restrictions. During a recent WilmerHale webinar, firm attorneys Jonathan G. Cedarbaum and Arianna Evers analyzed the regulatory landscape related to the collection and use of biometric data. In the first installment of our two-part series, we cover their presentation on relevant state laws and notable cases, litigation strategies and defenses. Part two will cover applicable federal and international regulations. See also “Actions Under Biometric Privacy Laws Highlight Related Risks” (Dec. 6, 2017).

    Read Full Article …
  • From Vol. 3 No.24 (Dec. 6, 2017)

    Actions Under Biometric Privacy Laws Highlight Related Risks

    More and more companies are using biometric data internally and with consumer interactions. Biometric identifiers and the new technologies that use them offer exciting benefits. However, as new technology often does, biometrics presents both cybersecurity and data privacy concerns. Certain states have enacted legislation and plaintiffs have filed class-action lawsuits. This article explains the regulatory and litigation landscape, focusing on recent complaints and a federal appellate dismissal. See also our three-part series on unlocking encryption: “Navigating Encryption Options and Persuading Reluctant Organizations” (Aug. 9, 2017); “A CISO’s Perspective on Encryption As Only One Strategy” (Aug. 23, 2017); and “An Attorney Weighs in on Balancing Security and Practicality” (Sep. 13, 2017).

    Read Full Article …
  • From Vol. 3 No.22 (Nov. 8, 2017)

    Managing Data Privacy Across Multiple Jurisdictions

    Long gone are the days when acceptable privacy programs consist of a policy in an HR handbook. Building an effective and comprehensive privacy program that addresses wide-ranging data sets and dynamic regulations is a challenge for large and small organizations. To provide guidance on what has worked for them, Ropes & Gray teamed up with privacy professionals from Wyndham Worldwide and Facebook on a recent panel at the Privacy + Security Forum. The panelists offered advice on complying with the patchwork of U.S. laws and the growing number of global regulations and offered behind-the-scenes insight on how Wyndham built its global privacy program as well as how Facebook approaches privacy across its products. See also “Tips From Google, Chase and P&G Privacy Officers on Developing Strong Privacy Leadership and When to Use Outside Counsel” (Aug. 23, 2017).

    Read Full Article …
  • From Vol. 3 No.20 (Oct. 11, 2017)

    FTC Launches Stick With Security Series, Adding Detail and Guidance to Its Start With Security Guide (Part Two of Two)

    Companies continue to seek more detailed guidance on data-security expectations from regulators such as the FTC. As a follow-up to its 2015 Start With Security Guide, which contained 10 fundamentals, the FTC launched its Stick With Security blog series. It builds on those 10 principles using hypotheticals to take “a deeper dive” into proactive data-protection steps. The first article in our two-part series examined the blog posts analyzing the first five principles of Start With, and this second article continues with the remaining five. The “examples in the posts help companies with line drawing and balancing risk,” Kelley Drye partner Dana Rosenfeld told The Cybersecurity Law Report. See “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017); and “A Behind-the-Curtains View of FTC Security and Privacy Expectations” (Mar. 16, 2016).  

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    FTC Settlements in Privacy Shield Cases and With Lenovo Over Use of “Man-in-the-Middle” Software Highlight Vigorous Enforcement Efforts

    Despite operating with only two of five Commissioners, the FTC has continued its data-privacy-enforcement efforts. It recently struck a major settlement with Lenovo over adware that was pre-installed on laptops and, unbeknownst to consumers, acted as a “man-in-the-middle,” with the ability to capture all of the data users transmitted to e-commerce websites they visited. It also reached settlements with three companies based on allegedly false claims of compliance with the U.S.-E.U. Privacy Shield framework. We explain the facts and circumstances that gave rise to the FTC enforcement actions and the terms of the settlements. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    Audit of Websites’ Security, Privacy and Consumer Practices Reveals Deficiencies Despite Overall Progress

    Email authentication and adequate privacy are among key challenges for the financial sector, according to a recent audit by the Online Trust Alliance. Its 2017 Online Trust Audit & Honor Roll, an annual benchmarking analysis about security standards, privacy practices, and consumer protection, evaluates approximately 1,000 websites with over 60 criteria taking into consideration the evolving threat landscape, regulatory environment and globally accepted practices. With its goal of pushing companies past compliance to “stewardship,” the Audit results serve as a benchmarking tool for companies to compare their own practices against OTA’s list of best practices, Jeff Wilbur, Director of the Online Trust Alliance Initiative at the Internet Society, told The Cybersecurity Law Report. With commentary from Wilbur, we explore the Audit’s results and recommended best practices. See also “Surveys Show Cyber Risk Remains High for Financial Services Despite Preventative Steps” (Jun. 28, 2017).

    Read Full Article …
  • From Vol. 3 No.18 (Sep. 13, 2017)

    Tips and Warnings for Fund Managers When Navigating the Big Data Minefield

    Data-gathering and analytics have become valuable tools for private fund managers when making their investment decisions. As technology outpaces the law in this area, however, managers must use caution when acquiring and using data. In a recent webinar, Proskauer attorneys examined the evolving means of collecting data, the risks involved and the ways managers can use big data without running afoul of applicable law. See “Best Practices for Managing the Risks of Big Data and Web Scraping” (Jul. 26, 2017).

    Read Full Article …
  • From Vol. 3 No.17 (Aug. 23, 2017)

    Uber Settlement Highlights Benefits of a Privacy Impact Assessment

    Uber’s recent FTC settlement, in which it agreed to implement a comprehensive privacy program designed to address privacy risks and protect consumers’ confidential information, highlights the utility of a privacy impact assessment (PIA), which may help other companies stay out of the agency’s crosshairs in the first instance. This article summarizes Uber's settlement of FTC claims that were based on allegations that it failed to properly protect consumers’ personal information, and covers the role of a PIA in designing a comprehensive privacy program, including what the process should entail, who should be involved, cost-benefit considerations and how it helps to fulfill regulatory obligations. See also “Privacy Leaders Share Key Considerations for Incorporating a Privacy Policy in the Corporate Culture” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 3 No.17 (Aug. 23, 2017)

    Implications and Analysis of the E.U.-Canada Data Sharing Agreement Rejection

    The Court of Justice of the European Union has struck down a major air passenger data sharing agreement between the E.U. and Canada. In a guest article, John Magee, a partner at William Fry, and Alex Cameron, a partner at Fasken Martineau, discuss the ruling and its potential repercussions, including the impact on similar agreements with Australia and the U.S., post-Brexit E.U data transfer, as well as on Canadian data protection laws. See also “Key Requirements of the Newly Approved Privacy Shield” (Jul. 20, 2016).

    Read Full Article …
  • From Vol. 3 No.15 (Jul. 26, 2017)

    Best Practices for Managing the Risks of Big Data and Web Scraping

    The $60.5 million judgment that craigslist obtained in April 2017 against RadPad, a third party that collected data from craigslist's site through automated means, highlights some of the issues faced by entities that collect – or engage others to collect – data through automated means for commercial purposes. The judgment was based on various claims relating to RadPad’s use of sophisticated techniques to evade detection and harvest content from craigslist’s site, as well as distribution of unsolicited commercial emails to craigslist users to market RadPad’s own apartment rental listing service. In a guest article, Proskauer partners Jeffrey D. Neuburger, Joshua M. Newville and Robert G. Leonard provide an overview of big data and web scraping, outline potential sources of liability to hedge fund managers that collect big data and describe best practices for navigating several areas of potential liability. See also “Using Big Data Legally and Ethically While Leveraging Its Value (Part One of Two)” (May 17, 2017); Part Two (May 31, 2017).

    Read Full Article …
  • From Vol. 3 No.11 (May 31, 2017)

    Using Big Data Legally and Ethically While Leveraging Its Value (Part Two of Two)

    Companies across industries are leveraging big-data analytics to enhance their products and services, improve marketing efforts and prevent fraud and abuse of their services. But how do they do this legally and ethically given the challenges of tracking the rights and restrictions that accompany such a vast array of data? With input from in-house compliance professionals and outside counsel, this two-part article series offers practical guidance for designing big-data initiatives that ensure the legal and ethical use of big data across industries. This second installment presents nine areas to consider in achieving compliance, including advice on transparency, security hygiene, resources for guidance, and strategies for dealing with third-party vendors. It also addresses common challenges and the future of big-data analytics. The first part explored what is meant by “big data,” how it is collected and used by various industries and applicable legal requirements. See also “The FTC’s Big Data Report Helps Companies Maximize Benefits While Staying Compliant” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.10 (May 17, 2017)

    Using Big Data Legally and Ethically While Leveraging Its Value (Part One of Two)

    Companies across industries are leveraging big-data analytics to enhance their products and services, improve marketing efforts and prevent fraud and abuse of their services. Big data offers substantial societal and public-health benefits, but companies must evaluate complex privacy and regulatory challenges when they are analyzing aggregated purchasing behavior, consumer online activity, or medical information for secondary uses. With input from in-house compliance professionals and outside counsel, this two-part article series offers practical guidance for designing big-data initiatives that ensure the legal and ethical use of big data across industries. This first part explores what big data is, how it is collected and used by various industries and applicable legal requirements. Part two will provide advice on remaining compliant while leveraging big data and strategies for dealing with big data and third-party vendors. See also “The FTC’s Big Data Report Helps Companies Maximize Benefits While Staying Compliant” (Feb. 3, 2016).

    Read Full Article …
  • From Vol. 3 No.10 (May 17, 2017)

    Advice From CPOs on Nurturing Privacy Programs on Any Budget

    Mounting responsibilities combined with lean staffs, underfunding, and a reputation for restricting business ideas present challenges to privacy officers. The demands of the job coupled with the realities of the workplace have inspired some of them to develop creative approaches to what remains a fundamental and seemingly universal challenge for businesses large and small: safeguarding personal information successfully at a doable cost. “We all scratch our heads on the same kinds of questions and have tried different experiments on how to be more effective in our programs,” observed Lauren Steinfeld, CPO of Penn Medicine, during a recent IAPP Global Summit panel. She was joined by the CPOs of Comcast and PepsiCo as well as the SVP, data management at MasterCard. We cover their advice on ways to maximize benefits of privacy programs while working with limited resources. See also “Advice From Compliance Officers on Getting the C-Suite to Show You the Money for Your Data Privacy Program” (Dec. 14, 2016).

    Read Full Article …
  • From Vol. 3 No.6 (Mar. 22, 2017)

    Understanding Online Advertising Technology and the Pipeline Process 

    Understanding the technology behind online advertising is critical to navigate the significant privacy and other legal issues in play. The risks associated with getting it wrong are sizeable. For example, following nine years of litigation, Google Inc. has agreed to pay a $22.5 million settlement to a proposed class of advertisers who claimed Google had placed their ads on inactive websites. At a recent PLI program, Jonathan Mayer, Stanford University attorney and computer scientist, explained the technology behind tracking, targeting and ad delivery, as well as the “high-frequency trading for eyeballs” ad bidding exchange process. See also “Keeping Up With Technology and Regulatory Changes in Online Advertising to Mitigate Risks” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 3 No.4 (Feb. 22, 2017)

    Lessons for Connected Devices From the FTC’s Warning Against Unexpected Data Collection 

    In a recently announced $2.2 million settlement with television manufacturer VIZIO, the FTC and the state of New Jersey emphasized the importance of providing notice and consent particularly when connected-device users may not expect the types of data collection and sharing taking place. The action demonstrates the coordination of federal and state enforcement agencies, and the settlement terms serve to inform connected-device companies about the agencies' expectations. In terms of data collection and disclosure, “companies should consider what consumers expect of a device, particularly if it was an analog device that has not been smart in the past,” FTC attorney Megan Cox told The Cybersecurity Law Report. See “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017); and “Privacy, Security Risks and Applicable Regulatory Regimes of Smart TVs” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    FTC Data Security Enforcement Year-In-Review: Do We Know What “Reasonable” Security Is Yet?

    In 2016 alone, more than 35 million records were reported as compromised in more than 980 data breaches, which made consumers wary of trusting companies to handle their data. This leaves companies wondering what they can do to amplify their data security practices to help avoid consumer distrust and the scrutiny of regulators. The FTC expects “reasonable” security, but what does that mean? In this guest article, Kelley Drye & Warren attorneys Alysa Z. Hutnik and Crystal N. Skelton shed light on the answer to this question by detailing illustrative data security enforcement actions over the past year and the security practices the agency has indicated should be implemented as well as those it has warned should be avoided. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    Tracking Consumer Data: DAA Guidance Applies Core Principles to Cross-Device Technology

    No longer tied to a desk for internet browsing, consumers move among devices, platforms, software, apps and service providers. While the technology offers consumers great convenience and other benefits, it can also make them uneasy as new forms of tracking are continually being developed. On February 1, 2017, the Council of Better Business Bureaus and the Direct Marketing Association will begin enforcement of the Application of the Digital Advertising Alliance Principles of Transparency and Control to Data Used Across Devices. The guidance takes DAA standards and principles and applies those to the technology of cross-device tracking. “DAA has been really effective by focusing on advertising practices, like cross-app advertising or cross-device linking, rather than focusing on specific technologies,” because the technologies rapidly change, Lindsey Tonsager, a partner at Covington, explained. See also “FTC Chair Addresses the Agency’s Data Privacy Concerns With Cross-Device Tracking” (Nov. 25, 2015).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    FTC Priorities for 2017 and Beyond

    From holding events on ransomware, disclosure and marketing tactics, to entering into settlement agreements for the misuse of location data, to tackling APEC’s privacy framework for the first time, 2016 was a busy year for the FTC’s privacy and security enforcement arm. The Commission’s actions indicate that it is intending to keep pace with the latest tech and policy developments. But what is in store for 2017? At IAPP’s recent Practical Privacy Series conference, FTC Commissioner Maureen Ohlhausen discussed the agency’s priorities for the coming year. See also “Demystifying the FTC’s Reasonableness Requirement in the Context of the NIST Cybersecurity Framework (Part One of Two)” (Oct. 19, 2016); Part Two (Nov. 2, 2016).

    Read Full Article …
  • From Vol. 3 No.1 (Jan. 11, 2017)

    Privacy, Security Risks and Applicable Regulatory Regimes of Smart TVs

    Technology often outpaces regulation. Connected devices such as smart TVs are no exception. Like other devices in the growing Internet of Things, smart TVs provide a variety of conveniences and content options to their users, along with a range of serious data privacy and security risks, and regulators are struggling to keep pace with developments. In a recent WilmerHale program, attorneys D. Reed Freeman and Sol Eppel discussed the FTC’s December 2016 workshop, and detailed the regulatory and legal regimes that may affect smart TV manufacturers, providers and users. See also “New NIST and DHS IoT Guidance Signal Regulatory Growth” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 2 No.24 (Nov. 30, 2016)

    How to Respond to Law Enforcement Demands for Geolocation Data and Data Stored Abroad

    When faced with a range of demands for data from law enforcement, electronic communications and remote computing service providers must navigate the competing interests of user privacy and legal compliance. They must be prepared in advance to shape their response to a demand based on the type and location of data sought, as they will be expected to act quickly once it is made. During a recent webcast, ZwillGen attorneys Aaron Altschuler and Abby Liebeskind addressed how best to handle law enforcement requests regarding geolocation data and data held overseas in order to avoid liability and protect users. See also “CSIS’ James Lewis Discusses Balancing Law Enforcement and Privacy” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    Examining Newly Released Privacy and Security Guidance for the Fast-Driving Development of Autonomous Cars

    Auto manufacturers and technology companies are moving closer to making driverless cars a reality, much to the excitement and fear of consumers. While autonomous cars have the potential to provide enormous safety and environmental benefits, this unchartered territory also presents an array of unknowns for companies and consumers.  As a first step to address the risks of this new technology, and signal possible regulations, the government has released voluntary guidance for manufacturers that addresses safety, privacy and security. “The 15-point Safety Assessment may be a safe harbor that provides a benchmark for car manufacturers to meet,” Alma Murray, senior counsel for privacy at Hyundai Motor America, explained to The Cybersecurity Law Report. “This standard-setting is also good for the consumer/driver in that it sets a standard of care that must be met by manufacturers which, if not met, can subject the manufacturers to lawsuits.”  See also “Managing Risk for the Internet of Things in the Current Regulatory Landscape” (May 11, 2016); and “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.18 (Sep. 7, 2016)

    Survey Reveals What Keeps Consumers Away From Connectivity and How to Address Their Concerns 

    For companies that collect personal information, a breach may cause already wary consumers to choose other options for those products and services. The results of the KPMG Barometer Report illustrate these realities, and, focusing on the technology, retail, financial services and automotive industries, the Report suggests ways companies can improve cybersecurity preparedness. The Report also cites specific actions companies should take following an incident to raise consumer confidence and retain their customers. These actions are all the more important as consumers become “less forgiving. They have expectations that companies will take due care to provide robust security and privacy protections and are becoming more likely to vote with their wallet when those expectations are not met,” Greg Bell, the U.S. leader of KPMG Cyber, told The Cybersecurity Law Report. See also “How to Avoid Common Mistakes and Manage the First 48 Hours Post-Breach” (Jun. 22, 2016).

    Read Full Article …
  • From Vol. 2 No.18 (Sep. 7, 2016)

    Lessons From Consumer Challenges to Email Review Practices

    In three recent cases in front of the same judge, consumers asserting privacy concerns have taken different approaches to challenging how internet giants Google and Yahoo review emails. After class certification was denied in a case against Google, another group of plaintiffs brought a case seeking injunctive relief against Yahoo and a separate group sought permissive joinder on a large scale in a new action against Google. Most recently, in the third case, the same judge granted Google’s motion to sever an attempt to join more than 800 individual plaintiffs. Collectively, the results of these actions emphasize the importance of proper disclosures and illustrate the efficacy of the defense strategy of emphasizing individualized questions of consent. See “Federal Judge Offers Advice on Litigating Data Privacy, Security Breach and TCPA Class Action Suits” (Apr. 27, 2016).

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Is Pokémon Go Pushing the Bounds of Mobile App Privacy and Security?

    The popularity of the new app Pokémon Go, an augmented reality game in which players use their mobile devices to catch Pokémon characters in real-life locations, continues to grow despite security and privacy concerns. Intelligence firm Sensor Tower estimates the game has been downloaded 75 million times. The game’s success brings to light a number of privacy issues generally tied to the collection, storage and sharing of user information by mobile apps, as well as users’ control of those actions and the app’s disclosure practices. Justine Gottshall, a partner at InfoLawGroup, and Shook, Hardy & Bacon attorney Eric Boos recently spoke with The Cybersecurity Law Report about these issues as well as the recently filed lawsuit alleging that the Pokémon Go terms of service and privacy policy are deceptive and unfair. See “Legal and Regulatory Expectations for Mobile Device Privacy and Security” Part One (Feb. 3, 2016); Part Two (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.14 (Jul. 6, 2016)

    Enforcing Consumer Consent: FTC Focuses on Location Tracking and Children’s Privacy

    The FTC is using its enforcement power to ensure meaningful choice when it comes to geo-location tracking that companies use to gain key marketing data, particularly when children are involved. The FTC brought an action against the global online advertising company InMobi alleging that the company had tracked millions of mobile app users, including children, even when they had opted out, and had misrepresented its practices to app developers and publishers. In the recent settlement, InMobi agreed to pay a significant fine and comply with a detailed long-term injunction. Donna Wilson, Manatt partner, told The Cybersecurity Law Report that companies should expect a “continued emphasis” from regulators on children’s privacy and geo-location practices, as well as a closer look at “how companies’ conduct in that area lines up with what they are telling either consumers and/or business partners and other third parties.” See also “FTC Director Analyzes Its Most Significant 2015 Cyber Cases and Provides a Sneak Peek Into 2016” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    When Do Consumers Have Standing to Sue Over Data Breaches?

    When a company is hacked, civil litigation often follows, and the types of claims brought against hacked companies – like in the recent P.F. Chang’s case – include a host of traditional common law and statutory claims. None of these claims can succeed, however, unless plaintiffs can establish standing. This threshold issue has plagued plaintiffs in data breach cases, but a federal appeals court recently ruled in their favor by reversing the dismissal of a class action. In a guest article, Thomas Rohback and Patricia Carreiro, a partner and associate, respectively, of Axinn, Veltrop & Harkrider, analyze the progeny of standing outcomes in data breach cases, including the Lewert v. P.F. Chang’s holding, and examine what this issue and others might look like in future data breach class actions. See also “Making Sense of Conflicting Standing Decisions in Data Breach Cases” (Mar. 30, 2016).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    Privacy Concerns in a Cashless Society

    How will individual privacy hold up in a cashless society? As payment technology brings us closer to a world where cash is scarce, concerns about how non-cash payments can be tracked, and how secure they are, proliferate. The Cybersecurity Law Report spoke to Christoph Tutsch, founder and CEO of ONPEX, a Munich-based online payment exchange, and David Navetta, a partner and U.S. co-chair of Norton Rose Fulbright’s data protection, privacy and cybersecurity practice group, about what privacy would look like in a cashless society, and how the government might be the key to a more secure system. See also “How Companies Are Preparing for the Imminent Liability Shift for Counterfeit Credit Cards” (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    SEC Teaches Broker-Dealer a Lesson About Keeping Business Emails Secure

    In its continued enforcement of appropriate cybersecurity controls, the SEC initiated administrative proceedings against Craig Scott Capital, LLC (CSC), a broker-dealer based in Uniondale, New York, and its two principals for failing to protect confidential consumer information by using personal email addresses for business matters. “The enforcement action, including the fines imposed, reflects how seriously SEC takes the adoption of and compliance with proper policies and procedures,” Anastasia Rockas, a partner at Skadden, told The Cybersecurity Law Report. The SEC, alleging no harm to consumers, fined CSC $100,000 and its two principals $25,000 each. See also “Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Designing Privacy Policies for Products and Devices in the Internet of Things

    The connectivity of common devices, from watches to refrigerators, brings with it multiplying privacy challenges. Traditional ways of explaining privacy choices do not always work in this space, and manufacturers, consumers and regulators are struggling to find balance between privacy and convenience. Dana Rosenfeld and Crystal Skelton, Kelley Drye & Warren partner and associate, respectively, talked to The Cybersecurity Law Report about challenges and solutions for designing the Internet of Things for privacy. See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Securing Connected Medical Devices to Ensure Regulatory Compliance and Customer Safety (Part Two of Two)

    “The risks of cybersecurity are being felt more in healthcare-related companies,” Abhishek Agarwal, chief privacy officer for legal and compliance at a major global healthcare company, told The Cybersecurity Law Report, particularly in the area of connected medical devices. Government, industry and outside counsel experts agree that it is essential to evaluate and monitor cybersecurity vulnerabilities and the potential impacts on patient health and safety from the beginning and throughout a product’s lifecycle to mitigate those risks. This second article in our two-part series explores operational best practices and post-market considerations to address medical device cybersecurity, including the new proposed FDA post-market guidance and adding connectivity to existing devices. Part one examined the development and risks of connected devices and recommended pre-market steps companies should take. See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things” (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    Study Analyzes How Companies Can Overcome Cybersecurity Challenges and Create Business Value

    Many executives tasked with combatting cybersecurity threats lack necessary awareness and readiness, according to a survey commissioned by security firm Tanium and the NASDAQ. The Accountability Gap: Cybersecurity & Building a Culture of Responsibility (the Survey Report) includes findings of an extensive study involving 1,530 non-executive directors, CEOs, CISOs and CIOs of major corporations around the globe. Using information from a combination of one-on-one interviews and a quantitative survey, the Survey Report highlighted seven key cybersecurity challenges facing boards and executives and provided actionable advice in these areas. We examine these findings, with input from Lance Hayden, managing director of Berkley Research Group, and author of People-Centric Security. See also “Protecting the Crown Jewels Using People, Processes and Technology” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.8 (Apr. 13, 2016)

    The Regulators’ View of Best Practices for Social Media and Mobile Apps

    Social media and mobile apps provide consumers and companies with a host of benefits, such as improved access to information and the tailoring of content to the consumer, but also present privacy and security challenges that are continually evolving. At a recent PLI program, a panel of regulators shared their views on the emerging regulatory landscape for social media and mobile apps. Laura D. Berger, a senior attorney in the division of privacy and identity protection at the FTC; Joanne McNabb, the director of privacy education and policy in the privacy enforcement and protection unit of California’s Attorney General’s office; and Thomas M. Selman, executive vice president, regulatory policy, and legal compliance officer of FINRA, discussed their respective agencies’ roles and responsibilities, the enforcement priorities of their agencies, and examples of best practices in the use and development of social media and mobile apps. D. Reed Freeman, Jr., a partner at WilmerHale, moderated the panel. See “Legal and Regulatory Expectations for Mobile Device Privacy and Security (Part One of Two)” Feb. 3, 2016; Part Two, Feb. 17, 2016.

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    FCC Flexes Its Muscles With Proposed Broadband Privacy Rules and Verizon Settlement

    Continuing its increased emphasis on online privacy, the FCC has proposed regulations for broadband ISP services, right on the heels of a $1.35 million settlement with Verizon Wireless tied to its use of unique identifier headers or “supercookies.” Verizon agreed to adopt a three-year compliance program in connection with its tracking of customers for targeted advertising purposes and failing to adequately notify them about it. Experts told The Cybersecurity Law Report that the consent decree seemed to pave the way for the proposed new privacy rules, which center around choice, security and transparency. We analyze the settlement, provide three key takeaways from it and explore the impact of the new proposed rules. See also “FCC Makes Its Mark on Cybersecurity Enforcement With Record Data Breach Settlement” (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    CSIS’ James Lewis Discusses Balancing Law Enforcement and Privacy

    “Surveillance to keep me safe from crime and terrorism is bad, but surveillance to sell me deodorant is good?” James Lewis, director and senior fellow at the Center for Strategic and International Studies, and author of Securing Cyberspace for the 44th Presidency, posed this and other questions in a conversation with The Cybersecurity Law Report about the tension between law enforcement and privacy concerns. He also shared his candid and colorful views on, among other things, the ongoing dispute about law enforcement’s access to the San Bernardino shooter’s iPhone, and how the public and private sectors can coordinate cybersecurity efforts. See also “White House Lays Out Its Broad Cybersecurity Initiatives” (Feb. 17, 2016).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Implementing a Privacy by Design Program to Protect Corporate and Consumer Information

    One way for companies to integrate their internal and external commitment to data protection and privacy is by implementing a “privacy by design” mechanism, Sachin Kothari, director of online privacy and compliance at AT&T, Inc., explained during a recent ALM cyberSecure Conference. Kothari highlighted specific steps companies can take to effectively integrate such a program into their corporate governance structures. He was joined by Andrea Arias, an attorney in the Division of Privacy and Identity Protection at the FTC and Chaim Levin, chief U.S. legal officer at Tradition Group. This article examines Levin and Kothari’s insights on data security and privacy governance and best practices to meet the potentially competing demands of in-house, consumer and regulatory cybersecurity expectations. A future article will address Arias’ perspective on recent FTC guidance and cyber enforcement actions. See also “Coordinating Legal and Security Teams in the Current Cybersecurity Landscape (Part One of Two)” (Jul. 1, 2015); Part Two (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.4 (Feb. 17, 2016)

    Legal and Regulatory Expectations for Mobile Device Privacy and Security (Part Two of Two)

    Companies are capitalizing on increased personal and professional mobile device use by collecting, storing and sharing mobile-generated information to improve products and services and target advertising. During a recent webinar, WilmerHale partners D. Reed Freeman, Jr. and Heather Zachary examined the latest federal, state and self-regulatory privacy and data security expectations tied to mobile devices. In this second installment of our two-part series, Freeman and Zachary address: how to ensure compliance in the use of cross-device advertising and tracking; Telephone Consumer Protection Act lessons; and key differences in Canada and E.U. regulations. Part one covered how practitioners can navigate the regulatory environment for mobile advertising, including self-regulatory guidance and the increasingly important role of the FCC. See also “FTC Chair Addresses the Agency’s Data Privacy Concerns With Cross-Device Tracking” (Nov. 25, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    Germany Eases Restrictions on Certain Privacy Class Actions

    It is about to get a little easier for some groups in Germany to challenge companies’ privacy practices. On December 17, 2015, the German Parliament passed a new act that permits certain associations to file privacy class actions. Dr. Christian Schröder, an Orrick partner based in Düsseldorf, spoke with The Cybersecurity Law Report regarding the changes, the expected impact and how the German legal system differs from the U.S. class action process. See also “Seventh Circuit Reopens a Door for Plaintiffs in Data Breach Class Actions” (Jul. 29, 2015); and “Lessons From the 2013 Target Data Breach: What Future Resolutions of Large-Scale Data Breaches May Look Like” (May 6, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    Legal and Regulatory Expectations for Mobile Device Privacy and Security (Part One of Two)

    With consumers now using mobile devices in nearly every aspect of their personal and professional lives, companies are collecting, storing and sharing information from mobile use for a wide range of initiatives such as improving products and services and targeted advertising. During a recent webinar, WilmerHale partners D. Reed Freeman, Jr. and Heather Zachary examined the latest federal, state and self-regulatory privacy and data security expectations. Part one in this two-part series covers the panelists’ detailed discussion about how practitioners can navigate the regulatory environment for mobile advertising, including self-regulatory guidance and the increasingly important role of the FCC. In part two, Freeman and Zachary address: how to ensure compliance in the use of cross-device advertising and tracking; lessons from the Telephone Consumer Protection Act; and key aspects of the E.U. and Canada’s mobile privacy and data security regulations. See also “FTC Chair Addresses the Agency’s Data Privacy Concerns With Cross-Device Tracking” (Nov. 25, 2015).

    Read Full Article …
  • From Vol. 2 No.3 (Feb. 3, 2016)

    The FTC’s Big Data Report Helps Companies Maximize Benefits While Staying Compliant

    Recognizing the benefits of “big data” and its widespread use, on January 6, 2016, the FTC issued a staff report on best practices for companies to minimize risks of that use, including the potential for discrimination against certain populations. The report, Big Data: A Tool For Inclusion or Exclusion? Understanding the Issues, addresses applicable laws and policy considerations and provides a series of questions to help companies become and remain compliant. See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity” (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    The E.U.’s New Rules: Latham & Watkins Partner Gail Crawford Discusses the Network Information Security Directive and the General Data Protection Regulation

    December was a busy month in Europe for data security and breach reporting with representatives of the European Parliament, Council and Commission agreeing to a sweeping new data protection regulation, the General Data Protection Regulation (GDPR) in the “trilogue” process. The GDPR toughens European data privacy law, already at odds with U.S. privacy law, by issuing heavier fines for non-compliance and by imposing more stringent obligations for both data controllers and processors. It also expands the territorial scope to apply to any company processing data in the E.U. and companies outside the E.U. who offer goods and services to, or monitor the behavior of, E.U. residents. European Justice Commissioner Vera Jourova said that E.U. citizens and businesses “will profit from [these] clear rules that are fit for the digital age,” but many companies claim that the new law is less clear than originally hoped. The trilogue also announced its agreement on the proposed Network Information Security Directive, which is aimed at improving cybersecurity capabilities and mandating breach reporting in certain sectors. Latham & Watkins partner Gail Crawford explains the key points of each of these legal developments and what they mean for companies. See also “Seeking Solutions to Cross-Border Data Realities” (Aug. 26, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Keeping Up with Technology and Regulatory Changes in Online Advertising to Mitigate Risks

    The advertising and marketing industries are continually transforming the ways they reach and track consumers.  These changes bring with them a moving target of privacy challenges as companies try to ensure security of the data they collect as well as legal and regulatory compliance.  At a recent PLI program, Joseph J. Lewczak, a Davis & Gilbert partner, and Matthew Haies, general counsel at global digital media platform Xaxis, analyzed the current state of consumer data collection and privacy issues in a discussion of technological, regulatory and legal developments.  See also “The Tension Between Interest-Based Advertising and Data Privacy” (Sep. 16, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    FTC Loses Its First Data Security Case 

    In the FTC’s first loss in a data breach security case, and the first such case to reach a full adjudication, an administrative law judge dismissed the agency’s complaint against LabMD, Inc. regarding two alleged cybersecurity incidents at LabMD.  The ALJ held, in a lengthy Initial Decision, that the FTC did not meet its burden on the first prong of the three-part test in Section 5(n) of the FTC Act – that LabMD’s conduct caused, or is likely to cause, substantial consumer injury.  Phyllis Marcus, counsel at Hunton & Williams, said the ALJ was “holding the FTC Complaint Counsel, rightfully so, to the fire.  Bald allegations of substantial injury or likelihood of substantial injury” to support an unfairness claim will no longer be sufficient if the case stands.  See also “The FTC Asserts Its Jurisdiction and Provides Ten Steps to Enhance Cybersecurity,” The Cybersecurity Law Report, Vol. 1, No. 8 (Jul. 15, 2015).

    Read Full Article …
  • From Vol. 1 No.17 (Nov. 25, 2015)

    FTC Chair Addresses the Agency’s Data Privacy Concerns with Cross-Device Tracking

    Consumers’ online presence is constantly in motion as they jump from device to device throughout the day.  Companies that want to track consumer activity are using new methods that follow consumers, and the platforms and applications they use, on these various devices.  The FTC recently held a workshop to examine and address privacy issues raised by cross-device tracking.  FTC Chairwoman Edith Ramirez commenced the workshop by explaining the Commission’s goal to allow technological innovation – with all the consumer benefits it offers – while safeguarding consumer privacy.  We highlight the key points of her speech in which she emphasized the importance of effective transparency, notice, choice and security.  See also “In the Wyndham Case, the Third Circuit Gives the FTC a Green Light to Regulate Cybersecurity Practices,” The Cybersecurity Law Report, Vol. 1, No. 11 (Aug. 26, 2015).  

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    California Law Enforcement Faces Higher Bar in Acquiring Electronic Information

    California, looked to as a leader in privacy protections as well as breach notification requirements, has passed the California Electronic Communications Privacy Act (CalECPA), a new law that raises the bar for state law enforcement seeking electronic information.  Aravind Swaminathan and Marc Shapiro, Orrick partner and associate, respectively, told The Cybersecurity Law Report what CalECPA – which requires state law enforcement officials to secure a warrant before they can access electronic information – means for companies and individuals.  See also “Orrick Attorneys Explain California’s New Specific Standards for Breach Notification,” The Cybersecurity Law Report, Vol. 1, No. 15 (October 28, 2015).

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    Federal Courts Offer a Modern Interpretation of the VHS-Era Video Privacy Protection Act

    When does the 1988 Video Privacy Protection Act, which limits what companies can do with personal information about video consumption, apply to companies that post videos online?  The Eleventh Circuit and a New York district court recently dismissed complaints challenging the VPPA – passed in 1988 and designed to protect the privacy of individuals’ VHS rental preferences – narrowing the scope of the Act in the process.  Ellis v. The Cartoon Network, Inc. (11th Cir. Oct. 9, 2015) and Robinson v. Disney Online (S.D.N.Y. Oct. 20, 2015) both dealt with free smartphone apps, and questions regarding who is a “subscriber” and what “personally identifiable information” means under the statute.  Simon J. Frankel, a partner at Covington & Burling, told The Cybersecurity Law Report that “courts are really struggling with how the statute, not written for this context, applies in this context and [they are] trying to draw where the limits are.”  See also “The Tension Between Interest-Based Advertising and Data Privacy,” The Cybersecurity Law Report, Vol. 1, No. 12 (Sep. 16, 2015).

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    Privacy and Data Security Considerations for Life Sciences and Health Technology Companies (Part Two of Two)

    Companies in the life sciences and health information technology industry face unique data privacy and security concerns based on the highly sensitive personal health information that they handle.  In our continued coverage of a recent health sector data privacy and security webinar, WilmerHale partners Barry Hurewitz and Jonathan Cedarbaum address HIPAA’s nuances, including requirements for business associates and its applicability in medical research.  They also highlight the latest regulatory guidance regarding medical and mobile devices, and move beyond HIPAA to examine current state and international regulations.  In part one, Hurewitz discussed security issues specific to life science and health information technology companies and provided a federal regulatory overview.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    Privacy and Data Security Considerations for Life Sciences and Health Technology Companies (Part One of Two)

    The health sector is faced with a web of complex regulations due to the particular sensitivity of the information it handles.  During a recent webinar, WilmerHale partners discussed special health data regulatory considerations at state, federal and international levels and how health care companies can navigate them.  In this article, the first in a two-part series, Barry Hurewitz examines the security issues specific to life sciences and health information technology companies, and provides an overview of the applicable regulatory standards at the federal levels, with a focus on HIPAA.  The second article will feature Hurewitz and Jonathan Cedarbaum’s coverage of the regulatory landscape as it relates to business associate agreements, medical research and recent developments regarding mobile devices, as well as special considerations of health data privacy regulation at the state and international levels.  See “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015). 

    Read Full Article …
  • From Vol. 1 No.12 (Sep. 16, 2015)

    The Tension Between Interest-Based Advertising and Data Privacy

    How can companies employ interest-based online advertising – targeting the exact consumers they covet – without running afoul of data privacy laws?  During a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Julia Horwitz, coordinator of the Electronic Privacy Information Center’s Open Government Program and Noga Rosenthal, general counsel and vice president for compliance and policy for the Network Advertising Initiative, offered their perspectives on the current interest-based advertising (IBA) climate.  The panelists discussed the evolution of IBA, potential privacy pitfalls and how companies are self-regulating.

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    How the Hospitality Industry Confronts Cybersecurity Threats that Never Take Vacations

    Technology offers travelers the convenience they value – such as software that recalls a frequent traveler’s preferences, room key cards that act as charge cards at resort restaurants, stores and more.  However, these amenities come with risks to the travelers (as well as responsibilities for the company offering the convenience) relating to the collection of sensitive data.  In this interview with The Cybersecurity Law Report, Eileen Ridley, a partner at Foley & Lardner, discusses the hospitality industry’s specific data privacy and cybersecurity challenges, and offers best practices in the collection, storage and protection of the increasing amount of personal data these companies are holding.

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Navigating the Evolving Mobile Arena Landscape (Part Two of Two)

    Mobile devices, and their constantly changing technology, present unique cybersecurity and privacy issues.  In the second installment of our coverage of a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Aaron P. Simpson, a partner at Hunton & Williams and H. Leigh Feldman, global chief privacy officer at Citi, discuss these challenges and contextualize relevant policy and regulatory landscapes in the U.S. and Europe, including enforcement activity.  The first article in the series explained the specific challenges related to mobile and wearable technology and presented best practices for stakeholders as consumers demand control of their information.  See also “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015). 

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    Canada’s Digital Privacy Act: What Businesses Need to Know

    Companies that conduct business in Canada or collect data from Canada will need to make significant changes going forward to comply with the recently enacted Digital Privacy Act.  As Kirsten Thompson, Daniel G.C. Glover and Marissa Caldwell of McCarthy Tétrault explain, the substantial regulation mandates breach notification, imposes new consent requirements and significant fines, and changes the confidentiality requirements within government investigations.  In addition, it gives the Office of the Privacy Commission of Canada an enforcement role.  Even companies with no Canadian presence are looking closely at this legislation as the U.S., Europe and other countries debate legislative proposals of their own.  

    Read Full Article …
  • From Vol. 1 No.9 (Jul. 29, 2015)

    How to Secure Evolving Mobile Technology and the Data It Collects (Part One of Two)

    Mobile device technology is changing at a rapid pace, as are the ways consumers are interacting with those devices.  This atmosphere is continually creating new cybersecurity and data privacy challenges that demand the attention of retailers, app developers, consumers and regulators.  During a recent panel at PLI’s Sixteenth Annual Institute on Privacy and Data Security Law, Aaron P. Simpson, a partner at Hunton & Williams, and H. Leigh Feldman, global chief privacy officer at Citi, discussed privacy and security issues in the mobile arena.  This article, the first of a two-part series, explains the specific challenges related to mobile and wearable technology and presents best practices for stakeholders as consumers demand control of their information.  See “Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).  The second article in the series will discuss the complex policy and regulatory landscapes for mobile devices in the U.S. and Europe, including enforcement efforts.  

    Read Full Article …
  • From Vol. 1 No.8 (Jul. 15, 2015)

    Understanding and Mitigating Liability Under the Children’s Online Privacy Protection Act

    Faced with the threat of steep civil penalties that can arise from active FTC enforcement, operators of commercial websites must exercise caution when collecting personal information from children under the age of 13.  The long reach of the Children’s Online Privacy Protection Act (COPPA) applies not only to first-party website operators but also extends to third parties that collect personal information on behalf of first-party operators in certain circumstances.  In a recent presentation, attorneys Julia Siripurapu and Ari Moskowitz of Mintz Levin discussed key provisions and implementation of COPPA, including compliance, enforcement and applicability to third parties.  They also provided advice on best practices for websites and online services regarding the collection and use of children’s personal information, and for educational institutions as parental agents.

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    What Companies Need to Know About the FCC’s Actions Against Unwanted Calls and Texts

    The FCC has sent a strong message to companies that it will proactively monitor and regulate consumer consent related to phone calls and texts.  The agency claims this is the largest source of consumer complaints it receives.  “It is clear that the FCC will be more active in this area of enforcement,” Jen Deitch Lavie, a partner at Manatt, Phelps & Phillips, told The Cybersecurity Law Report.  The FCC recently has taken actions in two different forms to enforce and clarify the Telephone Consumer Protection Act (TCPA).  During the month of June, the FCC sent a public warning to PayPal regarding planned amendments to its User Agreement.  PayPal subsequently announced it would modify that agreement to address the FCC’s concerns.  The FCC also adopted a package of declaratory rulings regarding robocalls and spam texts that clarifies and modifies the TCPA in significant ways.  See also “FCC Makes Its Mark on Cybersecurity Enforcement with Record Data Breach Settlement,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    Tackling Privacy and Cybersecurity Challenges While Fostering Innovation in the Internet of Things

    The Internet of Things – physical objects with Internet connectivity – provides conveniences and efficiencies for consumers and companies but also security and privacy challenges.  In this interview with The Cybersecurity Law Report, Ed McNicholas, a partner at Sidley Austin and co-chair of the firm’s privacy, data security and information law practice, discusses how companies should address privacy notification with connected devices, the consent issues and cybersecurity threats presented by the Internet of Things, and the movement toward a personalized Internet.

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    FCC Makes Its Mark on Cybersecurity Enforcement with Record Data Breach Settlement

    With its $25 million settlement with AT&T, the “FCC has now planted its flag, and sent the message that it will use its powers to protect consumers,” Jenny Durkan, a partner at Quinn Emanuel Urquhart & Sullivan, told The Cybersecurity Law Report.  The FCC’s decision earlier this year to classify Internet providers as public utilities under the FCC’s jurisdiction has caused a broad range of companies to follow the agency’s actions closely.  The record AT&T settlement resolves an investigation into the theft of information by employees of a vendor call center in Mexico and requires AT&T to, among other things, overhaul its compliance program, provide free credit-monitoring services for affected customers and meet certain compliance benchmarks at intervals for the next seven years. 

    Read Full Article …