Privacy Law Blog

Tag Archives: data security

German DPAs Announce Policy Severely Limiting Mechanisms for Lawful Germany-to-U.S. Data Transfers

Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations. News out of Germany, however, indicates that a one-size-fits all approach … Continue Reading

FTC Issues Report and Privacy Best Practices for the Internet of Things

On January 27, 2015 the Federal Trade Commission (the “FTC”) issued a report detailing best practices and recommendations that businesses engaged in the Internet of Things (“IoT”) can follow to protect consumer privacy and security. The IoT refers to the connection of everyday objects to the Internet and the transmission of data between those devices. … Continue Reading

California Amends Data Breach Notification Law

On September 27, 2013, California Governor Jerry Brown signed into law an amendment to California’s breach notification law (Cal. Civ. Code § 1798.82).  Effective January 1, 2014, under the amended law, the definition of “Personal Information” will be expanded to include “a user name or email address, in combination with a password or security question … Continue Reading

India Issues Clarification of Recent Privacy Rules

As mentioned in a prior post on this blog, earlier this year the Indian Ministry of Communications and Information Technology issued new privacy and data security rules under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (the “Privacy Rules”). The strict consent requirements relating to the collection … Continue Reading

Let us tell you how we see this going down: White House publishes cybersecurity legislative proposal

On May 12, 2011, the Obama Administration released its legislative proposal concerning cybersecurity. The stated focus of the proposal is to shore up cybersecurity measures to protect the American people, the Nation's critical infrastructure, and the Federal Government's networks and computers while providing a framework for safeguarding individual privacy and civil liberties. … Continue Reading

Bay State “Brings It”: Attorney General Enters Consent Agreement with Restaurant Group for Data Security Failures

On March 28, 2011, the Massachusetts Superior Court issued a Final Judgment by Consent between the Commonwealth and Briar Group, LLC that resolves allegations that Briar Group failed to take measures to protect consumer credit and debit card information. Pursuant to the Final Judgment, Briar Group must pay $110,000 to the Commonwealth, establish a written information security program ("WISP"), and implement a number of other information security measures to help protect customer data. … Continue Reading

French Data Protection Agency Issues Guidelines to Help Companies Strengthen the Security of their Data Processing

To assist companies to comply with European data protection laws, in particular those implemented in France, the French Data Protection Agency (known as "CNIL") recently issued a set of guidelines organized by topic which provide elementary precautions to be taken by data controllers in several subject areas, including what types of conduct are prohibited as well as the CNIL's recommendations in these areas. … Continue Reading

Massachusetts Data Security Regulations: Your Company May Not Be Located There, But If Your Customers Are, You Need to Comply

As we’ve discussed in prior posts, newly effective regulations promulgated under Massachusetts’ recent data security law, Mass. Gen. Law ch. 93H, have raised the bar for data security compliance, and they have a long reach.  The regulations are national and international in scope, as they apply to all companies – wherever located– using personal data … Continue Reading

The FTC Brings 27th Case for “Faulty Data Security Practices”

On March 25, 2010, the Federal Trade Commission ("FTC") announced that it had entered into a settlement with entertainment operator, Dave & Buster's, Inc., for alleged violations of Section 5(a) of the FTC Act, and for "engag[ing] in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its networks." The settlement marks the 27th case brought by the FTC against a company for insufficient data security practices. … Continue Reading

Life Unlocked? FTC and 35 State Attorneys General Ding LifeLock, Inc. for Deceptive Claims and Poor Data Security

On March 9, 2010, the Federal Trade Commission and 35 state attorneys general announced a negotiated settlement with LifeLock, Inc. which resolves charges that LifeLock misrepresented the nature and effectiveness of the identity theft protection services it offers, and made false claims about its own data security practices. In the words of FTC Chairman Jon Leibowitz, "While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it." … Continue Reading

French Data Protection Agency Issues Recommendations Regarding Employees’ Personal Data that Companies in France May Collect To Minimize the Impact of Swine Flu on Business Continuity

In anticipation of the Swine Flu and the consequences that it may have upon the continuity of the business of companies, the French Data Protection Agency (known under the acronym "CNIL") recently issued recommendations regarding employers’ collection of employee data in connection with their swine flu business continuity programs. The French government has strongly recommended … Continue Reading

Massachusetts’ Revised Data Security Regulations Extend Deadline (Again) and Soften Some Requirements

Undersecretary Barbara Anthony, of the Massachusetts Office of Consumer Affairs and Business Regulation, announced today revisions to Massachusetts’ data security regulations, as well as an extension of the applicable compliance deadline from January 1, 2010 to March 1, 2010.  (Previous to an earlier extension, the compliance deadline was May 1, 2009.) The revised regulations emphasize … Continue Reading

Third Time’s a Charm for “Data Accountability and Trust”? Federal Breach Notification Bill Introduced in the House. Again. This Time With Data Security Provisions.

On April 30, 2009, Representative Bobby Rush (D-Ill) introduced H.R. 2221, the Data Accountability and Trust Act. The bill is nearly identical to H.R. 958, introduced by Rep. Rush in the 110th Congress, and is similar to the Data Accountability and Trust Act, introduced by Rep. Stearns (R-FL) in the 109th Congress. Of course, the newest "Data Accountability and Trust Act" is only the most recent of dozens of bills proposed over the last several years that would implement uniform federal breach notification requirements and preempt the 44 state laws requiring notification. Rep. Rush's latest bill also includes data security provisions and would preempt the growing number of state laws imposing such requirements. … Continue Reading

Federal Trade Commission Announces Settlement with TJX Over Inadequate Security Practices

According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and … Continue Reading

Governor Schwarzenegger Says No to California A.B. 779

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California's landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, that amended Minnesota's security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction. … Continue Reading