Privacy Law Blog

Consumer Review Fairness Act Taking Effect

The Consumer Review Fairness Act (CRFA) began to take effect yesterday, March 14, 2017. One aim of the CRFA is to protect consumers’ ability to publicly review services and vendors without being subject to restrictions or fines imposed by form contracts. It does so by voiding provisions within form contracts between consumers and service providers and/or vendors that restrict (or penalize) consumers from publicizing their reviews.

Under the CRFA, a form contract is “a contract with standardized terms (i) used by a person in the course of selling or leasing the person’s goods or services; and (ii) imposed on an individual without a meaningful opportunity for such individual to negotiate the standardized form.”[1]

The law states:

“a provision of a form contract is void from the inception of such contract if such provision: (A) prohibits or restricts the ability of an individual who is a party to the form contract to engage in a covered communication[2]; (B) imposes a penalty or fee against an individual who is a party to the form contract for engaging a covered communication; (C) transfers or requires an individual who is a party to the form contract to transfer to any person any intellectual property rights in review or feedback content, with the exception of a non-exclusive license to use the content, that the individual may have in any otherwise lawful covered communication about such person or the goods or services provided by such person.”[3]

This means that if vendors use standard form contracts which include such provisions and their customers are not afforded a genuine opportunity to negotiate the contracts, these restrictive provisions are void. Furthermore, the law states that “[i]t shall be unlawful for a person to offer a form contract containing a provision described as void” under the CRFA.[4]

This law is meant to protect the free speech of consumers, however it does not provide protection for defamatory or libelous postings, reviews which are violative of other laws, or the disclosure of confidential information. Furthermore, there are exceptions which businesses may avail themselves of.

The Federal Trade Commission and state attorney generals will have the authority to enforce the CRFA, however enforcement will not begin until December 14, 2017 and only apply to contracts in effect on or after that date.

[1]  (15 U.S.C.A § 45b (a)(3(A)).

[2] “The term ‘covered communication’ means a written, oral, or pictorial review, performance assessment of, or other similar analysis of, including by electronic means, the goods, services, or conduct of a person by an individual who is party to a form contract with respect to which such person is also a party.” (15 U.S.C.A § 45b (a)(2)).

[3] (15 U.S.C.A § 45b (b)(1)(A-C)).

[4] (15 U.S.C.A § 45b (c)).

New York Department of Financial Services Finalizes Cybersecurity Proposal

On February 16, 2017, the New York Department of Financial Services (the “DFS”) released a final version (the “Final Regulation”) of its proposed regulation, previously released in an earlier revised form on December 28, 2016, that would require banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity protections (the “Proposal”). For more information on the previous versions of the Proposal, please see our November 2016, December 2016 and January 2017 blog posts.

Although the Final Regulation retains most of the content of the Proposal, the Final Regulation departs from the Proposal by:

  • Expanding the types of entities that can qualify for an exemption from coverage by the Final Regulation (such as certain insurance companies) and identifying the sections of the Final Regulation from which such entities are exempt;
  • Clarifying that the gross annual revenue calculation relating to an exemption for smaller entities is based only on the Covered Entity’s and its Affiliates’ New York business operations;
  • Clarifying that the employee calculation relating to an exemption for smaller entities is based on the location of such employees of the Covered Entity or its Affiliates in New York or whether such employees are responsible for the Covered Entity’s business;
  • Broadening the requirement to notify the DFS of certain Cybersecurity Events: In the Proposal, to warrant notification to the DFS, a Cybersecurity Event had to meet two conditions: (1) be a Cybersecurity Event of which notice is required to be provided to a government body, self-regulatory agency or any other supervisory body, and (2) have a reasonable likelihood of materially harming any material part of the Covered Entity’s normal operations. In the Final Regulation, if a Cybersecurity Event meets either of these conditions, the Covered Entity must notify the DFS of such Cybersecurity Event within 72 hours; and
  • Relaxing the record retention requirements for audit trail records from five years to three years.

Under the Final Regulation, subject to certain exemptions, any individual, partnership, corporation, association or other entity operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law (a “Covered Entity”) is required to:

  • Establish a Cybersecurity Program designed to ensure the security of the Covered Entity’s information systems, which must include: information and systems security, data governance and classification, asset inventory and device management, access controls, disaster recovery plans, a Risk Assessment, vendor and third-party service provider management, and a written Incident Response Plan;
  • Adopt a written Cybersecurity Policy;
  • Designate a Chief Information Security Officer (“CISO”) responsible for implementing, overseeing and enforcing the cybersecurity program and policy; and
  • Comply with notice and reporting requirements, which include: reporting certain Cybersecurity Events to the DFS within 72 hours, and submitting annual compliance certifications to the DFS by February 15 of each year.

The Final Regulation is effective March 1, 2017 and establishes the following four compliance deadlines:

  • For requirements not specifically addressed below, the compliance deadline is September 1, 2017.
  • For the requirements in sections 500.04(b) (Chief Information Security Officer report), 500.05 (penetration testing and vulnerability assessments), 500.09 (risk assessment), 500.12 (multi-factor authentication), and 500.14(b) (cybersecurity training for personnel), the compliance deadline is March 1, 2018.
  • For the requirements in sections 500.06 (audit trail), 500.08 (application security), 500.13 (limitations of data retention), 500.14(a) (implementation of policies and procedures regarding monitoring), and 500.15 (encryption of nonpublic information), the compliance deadline is September 1, 2018.
  • For the requirements in section 500.11 (Third Party Service Provider Security Policy), the compliance deadline is March 1, 2019.

Since there is a short period of time before the first compliance deadline of September 1, 2017, Covered Entities should start formulating a plan to comply with the Final Regulation.

  • If a Covered Entity qualifies for an exemption, it must file a Notice of Exemption with the DFS.
  • If a Covered Entity does not qualify for an exemption, it must prepare the following documents:
    • Cybersecurity Policy;
    • Incident Response Plan;
    • Documentation of the required Risk Assessment;
    • Certification of Compliance to be submitted to the DFS (and relevant attachments);
    • Annual report to be delivered by the CISO to the Covered Entity’s board of directors; and
    • Third Party Service Provider Security Policy.

Proskauer’s Privacy and Data Security practice group has formulated a plan of action and scope of work for its clients who are covered by the Final Regulation. Contact your relationship contact at Proskauer for assistance.

Kingdom in the Cloud: Saudi Arabia’s Draft Cloud Computing Regulations

Proskauer litigation associate Courtney Bowman and Jonathan Reardon, head of the Al Khobar, Saudi Arabia office of the Middle East-based firm Al Tamini & Co., recently co-authored an article published by Bloomberg about Saudi Arabia’s draft cloud computing regulations.  The article analyzes the draft regulations and their potential impact on cloud service providers seeking to enter or expand their Saudi presence.  The article also provides context about the Kingdom’s interest in enhancing its profile in the technology sector as part of a strategy to shift away from being a largely oil-based economy.  Click here to read the full article.

Qatar’s New Personal Data Privacy Law

At the end of last year, Qatar became the first Gulf state to enact a comprehensive privacy law. Until now, the many companies that market to consumers or have employees based in Gulf Cooperation Council (GCC) countries have had to determine their local practices based on the various countries’ patchwork of sector-specific laws and regulations, as well as the differing privacy regimes in force in the region’s business-focused free zones. Now, at least in Qatar, the Personal Data Privacy Law ostensibly serves as a single law governing the collection and processing of data subjects’ personal information, and may serve as an exemplar for future GCC privacy laws.

Continue Reading

Draft Privacy and Electronic Communications Regulation published by European Commission

The European Commission has released proposals for new legislation that seeks to create stronger privacy in electronic communications. The draft Privacy and Electronic Communications Regulation (the “Regulation”) is intended to replace the ePrivacy Directive (2002/58/EC) and will also bring the law in line with the new rules as set out in the General Data Protection Regulation (the “GDPR”) as part of the process to modernize the data protection framework in the EU. As a regulation (rather than a directive) it will apply uniformly across the EU as there will be one single set of rules which will crease more legal certainty, save for certain prescribed areas where EU Member States can have their own rules. Continue Reading

New York Department of Financial Services Revises Cybersecurity Proposal: Greater Flexibility and Delayed Compliance Deadlines

As we previously reported, in December 2016 the New York Department of Financial Services (the “DFS”) announced that it was revising its proposed regulation that would require banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity protections (the “Original Proposal”).

On December 28, 2016, the DFS released a revised version of the Original Proposal (the “Revised Proposal”) that incorporates greater flexibility with respect to requirements as well as delayed compliance deadlines. The Revised Proposal is subject to a final thirty-day comment period.

Continue Reading

CJEU holds that mass surveillance must not be general and indiscriminate

The CJEU (the European Union Court of Justice) has handed down a decision which makes clear that general and indiscriminate retention of electronic communications is unlawful. National legislation of each European Member State should ensure that mass surveillance only occurs where it is strictly necessary in order to combat serious crime as well as terrorism and meets other stringent requirements.

The references were made by the Swedish and UK courts and concerned the interpretation of the Privacy and Electronic Communications Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) (the “Directive”), in light of the rights granted by the Charter of Fundamental Rights of the European Union (the “Charter”), particularly, the right to privacy (Article 7) and the right to protection of personal data (Article 8), and the decision of the CJEU in Digital Rights Ireland (C‑293/12 and C‑594/12).

Continue Reading