Capital One Financial Corp. (“Capital One”) and three collection agencies have agreed to pay one of the largest settlement amounts in history — $75.5 million — to end a consolidated class action lawsuit alleging that the companies used an automated dialer to call customers’ cellphones without consent in violation of the twenty-two-year-old Telephone Consumer Protection Act (“TCPA”). Judge Holderman of the Northern District of Illinois preliminarily approved the settlement in late July. Continue Reading
In April, Microsoft tried to quash a search warrant from law enforcement agents in the United States (U.S.) that asked the technology company to produce the contents of one of its customer’s emails stored on a server located in Dublin, Ireland. The magistrate court denied Microsoft’s challenge, and Microsoft appealed. On July 31st, the software giant presented its case in the Southern District of New York where it was dealt another loss. Continue Reading
On August 7, 2014 the PCI Security Standards Council issued new guidance to supplement PCI DSS Requirement 3.0 and help organizations reduce the risks associated with entrusting third-party service providers (“TPSPs”) with consumer payment information. More and more merchants use TPSPs to store, process and transmit cardholder data or manage components of the entity’s cardholder data environment. A number of studies have shown that breach is tied increasingly to security vulnerabilities introduced by third parties. To combat such risk, a PCI special interest group made up of merchants, banks and TPSPs, together representing more than 160 organizations, created practical guidelines for how merchants and their business partners can work together to comply with the existing PCI standard and protect against breach. Continue Reading
On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island (“WIH” or the “Hospital”), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient health records. The regulations and laws at issue were Mass. G.L. c. 93A, Mass. G.L. c. 93H and its implementing regulations codified at 201 C.M.R. 17.00 et. seq., as well as federal regulations under the Health Insurance Portability and Accountability Act (“HIPAA”). Continue Reading
As we’ve previously reported, cyber risks are an increasingly common risk facing businesses of all kinds. In a recent speech given at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar emphasized that cybersecurity has grown to be a “top concern” of businesses and regulators alike and admonished companies, and more specifically their directors, to “take seriously their obligation to make sure that companies are appropriately addressing those risks.” Continue Reading
Over the past decade, the EU has made significant technological and legal strides toward the widespread adoption of electronic identification cards. An electronic ID card, or e-ID, serves as a form of secure identification for online transactions – in other words, it provides sufficient verification of an individual’s identity to allow that person to electronically sign and submit sensitive documents such as tax returns and voting ballots over the Internet. Many people see e-IDs as the future of secure identification since they offer the potential to greatly facilitate cardholders’ personal and business transactions, and the EU Commission has recognized this potential by drafting regulations meant to eliminate transactional barriers currently hindering the cards’ cross-border reach. However, the increasingly widespread use of e-ID systems also gives rise to significant data security concerns. Continue Reading
In France, before implementing a whistleblowing process, a company must inform and consult with its employees’ representatives, inform its employees and notify the French Data Protection Agency (CNIL).
There are two possible ways to notify the CNIL of a whistleblowing system:
- request a formal authorization from the CNIL (this is quite burdensome and difficult to obtain), or
- opt for the standard whistleblowing authorization (AU-004). Continue Reading
On June 25, 2014, the Supreme Court unanimously ruled that police must first obtain a warrant before searching the cell phones of arrested individuals, except in “exigent circumstances.” Chief Justice John Roberts authored the opinion, which held that an individual’s Fourth Amendment right to privacy outweighs the interest of law enforcement in conducting searches of cell phones without a warrant. The decision resolved a split among state and federal courts on the search incident to arrest doctrine (which permits police to search an arrested individual without a warrant) as it applies to cell phones.
The case of Riley v. California as heard before the Supreme Court combined two cases, one involving a smartphone and the other involving a flip phone. In the first case, Riley v. California, the police arrested David Leon Riley, searched his smartphone, and found photographs and videos potentially connecting him to gang activity and an earlier shooting. In the second case, United States v. Wurie, Brima Wurie was arrested for allegedly dealing drugs, and incoming calls on his flip phone helped lead the police to a house used to store drugs and guns. Continue Reading
On July 2, 2014 Singapore’s new Personal Data Protection Act (the “PDPA” or the “Act”)) will go into force, requiring companies that have a physical presence in Singapore to comply with many new data protection obligations under the PDPA. Fortunately, in advance of the Act’s effective date, the Singapore Personal Data Commission has recently promulgated Personal Data Protection Regulations (2014) (the “Regulations”) to clarify companies’ obligations under the Act.
Under the PDPA, an individual may request from an organization that is subject to the Act access to, and correction of, the personal data that the organization holds about that individual. The Regulations clarify that the request must be made in writing and must include sufficient identifying information in order for the organization to process the request. The Regulations also specify that the request for access or correction should be made to the company’s Data Protection Officer (which companies are now required to appoint under the Act). Under the Regulations, an organization must respond to the request for access to personal data “as soon as practicable” but if it is anticipated that it will take longer than 30 days to do so, the organization must so inform the individual within that 30 day period. Continue Reading
After a decision denying class certification last week, claims by Hulu users that their personal information was improperly disclosed to Facebook are limited to the individual named plaintiffs (at least for now, as the decision was without prejudice).
The plaintiffs alleged Hulu violated the federal Video Privacy Protection Act by configuring its website to include a Facebook “like” button. This functionality used cookies that disclosed users’ information to Facebook. But, the U.S. District Court for the Northern District of California credited expert evidence presented by Hulu that three things could stop the cookies from transmitting information: 1) if the Facebook “keep me logged in” feature was not activated; 2) if the user manually cleared cookies after his or her Facebook and Hulu sessions, or 3) if the user used cookie blocking or ad blocking software. Continue Reading
Last month, a federal district court in the Northern District of California issued an order that may affect the policies of any company that records telephone conversations with consumers.
The trouble began when plaintiff John Lofton began receiving calls from Collecto, Verizon’s third-party collections agency, on his cell phone. The calls were made in error – Lofton did not owe Verizon any money because he wasn’t even a Verizon customer – but Lofton decided to take action when he discovered that Collecto had been recording its conversations with him without prior notice. Lofton brought a class action against Verizon under California’s Invasion of Privacy Act, theorizing that Verizon was vicariously responsible for Collecto’s actions because Collecto was Verizon’s third-party vendor and because Verizon’s call-monitoring disclosure policy did not require the disclosure of recordings in certain situations. Verizon filed a motion to dismiss, arguing that the recordings did not invade Lofton’s privacy and therefore did not run afoul of the statute. Continue Reading