U.S. Department of Labor Steps into the Cybersecurity Discussion

By Robert Projansky, Steven Weinstein and Randall Bunnell on April 16, 2021 Posted in Cybersecurity

Formally wading into the cybersecurity discussion for the first time, on April 14, 2021, the U.S. Department of Labor (DOL) posted on its website a suite of new guidance, including Tips for Hiring a Service Provider with Strong Cybersecurity Practices, Cybersecurity Program Best Practices, and Online Security Tips for Participants and Beneficiaries.

By way of background, cybersecurity has over the last decade become an area of critical importance to sponsors and administrators of employee benefit plans as well as plan participants. Put simply, this is because plans (which the DOL estimates hold $9.3 trillion in assets) are a prime target of cyberthieves, given that they typically hold significant amounts of sensitive participant data, often permit electronic access to funds (think 401(k) distributions) and rely on outside service providers, who provide additional access points for breach. This risk was only exacerbated by the COVID-19 shutdowns, where benefits personnel and their service providers quickly had to transition to working remotely and begin relying on electronic access more than ever before.

Read the full post on Proskauer’s Employee Benefits & Executive Compensation Blog.

Tags: BEST PRACTICES, CYBERCRIME, cybersecurity, DOL, FIDUCIARY, HEALTH PLANS, RETIREMENT PLANS

Litigation Breeding Ground: Illinois’ Biometric Information Privacy Act

By Ryan Blaney, Julia Alonzo and Brooke Gottlieb on March 18, 2021 Posted in Biometrics, Privacy Law, Privacy Litigation

Illinois’ Biometric Information Privacy Act (“BIPA”) is alive and well as a potential breeding ground for litigation for tech companies. In the last month, two settlements have been announced in class actions where the plaintiffs alleged violations of BIPA in the U.S. District Court for the Northern District of Illinois. These settlements show that companies collecting biometrics should take care to ensure that their practices do not run afoul of BIPA’s requirements. Continue Reading

Tags: biometric identifier, Biometric Information Privacy Act, BIPA, BIPA Violations, Corey Heard v. Becton Dickinson & Co., Facial Recognition Technology Disclosure, H.K. et al. v. Google LLC, Rosenbach v. Six Flags, technology, Technology companies, U.S. District Court for the Northern District of Illinois

Notable Trends in Privacy and Data Security

By Jeffrey Neuburger and Jonathan Mollod on March 18, 2021 Posted in Cybersecurity, Data Breaches, Data Privacy Laws, Privacy Law

COVID-19, the California Consumer Privacy Act (CCPA) coming into force, and the invalidation of the EU-US Privacy Shield already made 2020 an especially active year for privacy and data security risks and obligations. Rounding out the year, December then brought discovery of the unprecedented Solarwinds cyberattack affecting government agencies, critical infrastructure entities and others.

Thus, looking ahead, organizations must keep up with the dynamic and increasing legal obligations governing privacy and data security, understand how they apply, monitor risks and attack trends, and manage their compliance to minimize exposure.

Read our Practical Law article for an overview of the past year’s privacy and data security legal developments and predictions for issue to look out for 2021.

Tags: California Consumer Privacy Act (CCPA), Children’s Online Privacy Protection Act of 1998 (COPPA), Compliance, contact tracing technologies, COVID-19, cpra, data security, EU-US Privacy Shield, FEDERAL TRADE COMMISSION (FTC), pandemic, privacy law, privacy litigation, State Guidance

The Future of the FTC: Part II

By Ryan Blaney and Brooke Gottlieb on March 3, 2021 Posted in Children's Online Privacy Protection Act, FTC Enforcement, Privacy Law

A previous blog post discussed FTC Chairwoman Slaughter’s first priority as the newly designated chairwoman – the COVID-19 pandemic. The FTC’s second priority, racial equity, can be broken down into two sub issues. First, the FTC plans to investigate biased and discriminatory algorithms that target vulnerable communities. As the FTC acknowledges, the analysis of data can help companies and consumers, “as it can guide the development of new products and services, predict the preferences of individuals, help tailor services and opportunities, and guide individualized marketing.” Nonetheless, the FTC cautions companies to consider the below before making decisions based on the results of big data analysis.

Tags: Children’s Online Privacy Protection Act of 1998 (COPPA), COPPA, COVID-19, data collection data collection, education, FEDERAL TRADE COMMISSION (FTC), FTC Guidance, pandemic, privacy law, racial equity, technology

The Future of the FTC: Part I

By Ryan Blaney and Brooke Gottlieb on February 24, 2021 Posted in Children's Online Privacy Protection Act, FTC Enforcement, Privacy Law

On January 21, 2021, President Biden designated Federal Trade Commission (the “FTC”) Commissioner Rebecca Kelly Slaughter as acting chair of the FTC. Soon thereafter in one of her first speeches in her new role, Chairwoman Slaughter announced two substantive areas of priority for the FTC – the COVID-19 pandemic and racial equity. Continue Reading

Tags: Children’s Online Privacy Protection Act of 1998 (COPPA), COPPA, COVID-19, data collection, education, FEDERAL TRADE COMMISSION (FTC), FTC Guidance, pandemic, privacy law, racial equity, technology

Circuit Split Deepens as Eleventh Circuit Rejects “Risk of Identity Theft” Theory of Standing in Data Breach Suit

By Melissa D. DiGrande on February 18, 2021 Posted in Data Breaches, Privacy Law, Privacy Litigation

On February 4, 2021, the Eleventh Circuit affirmed the dismissal of a customer’s proposed class action lawsuit against a Florida-based fast-food chain, PDQ, over a data breach. The three-judge panel rejected the argument that an increased risk of identity theft was a concrete injury sufficient to confer Article III standing, deepening a circuit split on this issue.

Read the full post on Proskauer’s Minding Your Business blog.

Tags: class action, data breach, ELEVENTH CIRCUIT, Fair and Accurate Credit Transactions Act, hackers, identity theft, LLC, MURANSKY V. GODIVA CHOCOLATIER INC., privacy law, privacy litigation, SCOTUS, TSAO V. CAPTIVA MVP RESTAURANT PARTNERS, U.S. SUPREME COURT, UNFAIR AND DECEPTIVE TRADE PRACTICES ACT

Structuring a Two Track Cyber Investigation: Lessons from Wengui v. Clark Hill

By Stephanie A. Diehl on February 8, 2021 Posted in Data Breaches, Data Privacy Laws, Privacy Law, Privacy Litigation

As the D.C. District Court in Wengui v. Clark Hill recently commented, “[m]alicious cyberattacks have unfortunately become a routine part of our modern digital world. So have the lawsuits that follow them….” The court’s decision in that case has added another data point to developing jurisprudence of the cyberattack landscape, specifically concerning the discoverability of post-breach forensics reports.

Reas the full post on Proskauer’s Minding Your Business blog.

Tags: CYBER INVESTIGATION, CYBERATTACK, cybersecurity, CYBERSECURITY VENDOR, data breach, LIABILITY ISSUES, POST-BREACH FORENSICS REPORTS, TWO TRACK INVESTIGATION, WENGUI V. CLARK HILL