Privacy Law Blog | Privacy & Data Security Lawyers

FTC Issues Report and Privacy Best Practices for the Internet of Things

By Rohit Dave on February 18th, 2015 Posted in Data Privacy Laws, FTC Enforcement

On January 27, 2015 the Federal Trade Commission (the “FTC”) issued a report detailing best practices and recommendations that businesses engaged in the Internet of Things (“IoT”) can follow to protect consumer privacy and security. The IoT refers to the connection of everyday objects to the Internet and the transmission of data between those devices. According to Gartner estimates the IoT services spending will reach $69.5 billion in 2015. The potential benefits of IoT growth include enhanced healthcare through connected medical devices, convenience and cost savings through home automation and improved safety and convenience through connected cars.

SEC Releases Results of Cybersecurity Examination Sweep

By Kristen J. Mathews on February 12th, 2015 Posted in Cyber Security

By Rochelle Emert and Phillip Caraballo-Garrison

On February 3, 2015, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert that summarized its findings about cybersecurity preparedness in the securities industry. As part of its Cybersecurity Examination Initiative, the OCIE collected and analyzed information about cybersecurity practices and trends from over 100 registered investment advisers and broker-dealers. Proskauer discussed the OCIE study and its key findings in a client alert located here. With the OCIE stating that it will continue to focus on cybersecurity issues through 2015, registered investment advisers and broker-dealers should evaluate their cybersecurity policies and procedures in consideration of the OCIE findings.

Responding to the Anthem Cyber Attack

By Kristen J. Mathews, Roger Cohen and Ellen Moskowitz on February 10th, 2015 Posted in Data Breaches

Authors: Roger Cohen, Paul Hamburger, Kristen Mathews, Ellen Moskowitz, Richard Zall

Anthem Inc. (Anthem), the nation’s second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies. Continue Reading

School’s Out: COPPA’s Limiting Reach in the Classroom

By Chelsea Handler on February 3rd, 2015 Posted in Children's Online Privacy Protection Act

On January 23, 2015, Senior Attorney Lesley Fair at the Federal Trade Commission (“FTC”) posted on the Agency’s business blog clarifying how the Children’s Online Privacy Protection Act (“COPPA”) applies to schools. COPPA seeks to protect the privacy of children by allowing parents to control what personal information about their children under the age of thirteen may be collected by “operators” of websites or online services, including apps, that are either directed to children or that knowingly collect personally identifiable information from children. Subject to certain regulatory exceptions, the entities covered by COPPA must notify parents and obtain consent before collecting, using, or disclosing any personal information from children under thirteen. Continue Reading

Courts Address the Level of Security Banks Must Provide to Business Accounts

By Angel Diaz on January 28th, 2015 Posted in Cyber Security

Big or small, all bank accounts are susceptible to hijacking and fraudulent wire transfers. Banks ordinarily bear the risk of loss for unauthorized wire transfers. Two independent frameworks exist to govern these transfers: the Electronic Fund Transfer Act (“EFTA”) for consumer accounts, and Article 4A of the Uniform Commercial Code (“UCC”) for business accounts.

While the EFTA will ordinarily shield consumers from having to pay for most unauthorized charges as long as they provide notice to their bank, UCC §4A-202 shifts the risk of loss to the customer if the bank can show that (1) a commercially reasonable security procedure was in place and (2) the bank accepted the payment order in good faith and in compliance with the security procedure and any other written agreement or customer instruction.

The commercial reasonability of a security procedure is a question of law, and courts will consider several factors, including:

Customer instructions expressed to the bank
The bank’s understanding of the customer’s situation, including the size, type, and frequency of payment orders ordinarily issued
Alternative security procedures offered to the customer
Security procedures in general use by similarly situated banks and customers.

In addition, a security procedure will be found commercially reasonable if the customer selected it after refusing a security procedure that was commercially reasonable for the customer’s needs.

What Preemption? Connecticut State Court Gives Life to Negligence Claims Based on HIPAA Privacy Standard of Care

By Douglas Dahl on December 22nd, 2014 Posted in HIPAA

Like many federal statutes, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains a provision governing how the statute is designed to interact with similar or otherwise related state laws. When this type of provision is used to override or supplant similar state laws, the provision is called “preemptive.” On November 11, 2014, the Connecticut Supreme Court held in Byrne v. Avery Center For Obstetrics and Gynecology, P.C. that state law negligence claims are not preempted by HIPAA even where the plaintiff relies on HIPAA to establish the applicable standard of care. In so holding, the Court Continue Reading

Native Advertisers Face Closer Scrutiny From Industry Self-Regulatory Bodies

By Angel Diaz on December 16th, 2014 Posted in Behavioral Marketing, Online Privacy

With paywalls and premium subscriptions finding only modest success, paid advertisements remain the primary means of generating revenue from online content. Native advertising has emerged as a leader in the competition for ad impressions and brand engagement. Expected to grow from $7.9 billion in spending this year to $21 billion by 2018, native advertising is lauded as the future of online advertising. Continue Reading

From the Right to be Forgotten to the Right to an “e-Reputation’’: First Enforceability Ordered by French Court under Penalty

By Cecile Martin on December 16th, 2014 Posted in Data Privacy Laws, International, Online Privacy, Privacy Litigation

A few months after the European Court of Justice ruled on May 13, 2014 that search engines are considered personal data controllers under the EU Data Protection Directive of 1995 and, as such, should provide data subjects with a right to be forgotten, a French Tribunal enforced this principle in X & Y v. Google France.

In a summary proceeding on September 16, 2014, the Paris Tribunal (Tribunal de Grande Instance) held that Google must erase from its search engine, under penalty of €1,000 per day, all links leading to defamatory content published on Facebook (see attached judgement: TGI Paris – Ordonnance du 16 septembre 2014). Continue Reading

A Primer on EMV Technology for Merchants

By Courtney Bowman on December 15th, 2014 Posted in Miscellaneous

With the new year just around the corner, retailers should make a resolution to learn more about EMV technology. That’s because 2015 is slated to be the year EMV technology makes significant inroads in the United States, and retailers need to be prepared. In this post, we answer some frequently asked questions about what the introduction of this new standard means for retailers and the steps they must take in order to prepare for the widespread adoption of this new technology. Continue Reading

Attention Retailers: Target Data Breach Ruling Finds Duty Owed to Issuer Banks

By Margaret A. Dale on December 11th, 2014 Posted in Data Breaches

The Court hearing the Target data security breach litigation issued a ruling on December 2, 2014, largely denying Target’s motion to dismiss the Consolidated Amended Class Action Complaint in the Financial Institutions Cases. In his decision, Judge Magnuson found that Target owed the issuer banks a duty to protect customer data from hackers, a determination that was based on allegations that Target played a “key role” in allowing the break-in to occur by intentionally disabling one of the security features that would have prevented the harm. Decision at 5. At issue in the case is whether Target should be held responsible for the costs incurred by the issuer banks as a result of fraudulent charges and to replace customers’ credit and debit cards.

The importance of the decision is that it provides banks with a legal basis to seek to hold merchants financially responsible for the costs of data breaches if the facts suggest the merchants’ data security systems were deficient.

Of course, this is just the first round in the litigation and the banks will still need to prove their case before imposing liability on Target. That said, this decision is surely a sign of things to come and we will continue to mind the store and report on developments.

European DPA’s Give Privacy Recommendations to Stakeholders Regarding the “Internet of Things”

By Marianne Le Moullec on November 13th, 2014 Posted in Data Privacy Laws

The Article 29 Working Party, which is composed of representatives of DPA’s from every European country, has recently rendered an opinion (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf ) on data privacy issues surrounding the development of the “Internet of Things” (IoT), which includes wearable computing, quantified self devices, and domotics. Although such data is generated by “things” or devices, it is considered personal data because it may enable the life pattern of a specific individual to be discerned. After identifying the major privacy issues raised by such devices, the Article 29 Working Party made a series of recommendations to IoT stakeholders. Continue Reading