Privacy Law Blog

GDPR FAQ’s for Fund Managers

The General Data Protection Regulation (GDPR) comes into force across the European Union (EU) on 25 May 2018. It will have an impact on EU fund managers and may have an impact on non-EU fund managers depending on their operations. Below are FAQs to help EU and non-EU fund managers determine the extent to which the GDPR may affect them and the next steps they should consider taking. Compliance with GDPR is especially important given the potential fines (up to EUR 20 million or 4% of a business’s worldwide annual turnover) that can be imposed for breaches.

GDPR: FAQ for EU Fund Managers

GDPR: FAQ for Non-EU Fund Managers

Colorado and Vermont Adopt Cybersecurity Rules Covering Broker-Dealers and Investment Advisers

State financial regulators in Colorado and Vermont recently adopted cybersecurity rules that apply to broker-dealers and investment advisers regulated by those states as well as certain other “securities professionals” in Vermont.

The broad definition of “securities professional” in Vermont’s regulation (“any person providing investment-related services in Vermont”) could include entities that do not generally consider themselves to be regulated by Vermont’s financial regulator.

Colorado’s and Vermont’s cybersecurity rules require covered entities to implement certain practices including: authentication practices for employee access (which could include multi-factor or two-factor authentication), procedures for authenticating client instructions received via electronic communication, and an annual cybersecurity risk assessment. Notably, Vermont’s regulation also requires that covered entities maintain cybersecurity insurance and provide identity restoration services in the event of a breach. Continue Reading

Concrete Enough to Stand: Ninth Circuit Upholds FCRA Claims in Spokeo

On August 15, 2017, the Ninth Circuit delivered the latest episode in the Robins v. Spokeo saga, reaffirming on remand from the Supreme Court that plaintiff Robins had alleged an injury in fact sufficient for Article III standing to bring claims under the Fair Credit Reporting Act (FCRA).

Robins had brought a putative class action against Spokeo, which operates a “people search engine” that compiles consumer data into online reports of individuals’ personal information.  Robins alleged that Spokeo had willfully violated the FCRA’s procedural requirements, including that consumer reporting agencies must “follow reasonable procedures to assure maximum possible accuracy of the information” in consumer reports, because Spokeo’s report on Robins allegedly listed the wrong age, marital status, wealth, education level, and profession, and included a photo of a different person.  According to Robins, the inaccuracies in the report about him harmed his employment prospects and caused him emotional distress.

Read the full post on our Commercial Litigation Blog.

Indian Supreme Court Declares the Right to Privacy a Constitutionally-Protected Fundamental Right

In a landmark decision, a nine judge bench of the Supreme Court of India ruled today that privacy is a fundamental right protected by the Constitution of India.

Background

Due to the volume of cases brought before the Supreme Court of India, cases are generally heard by benches consisting of a subset of the ten justices of the Supreme Court. The question of whether there is a constitutionally protected right to privacy arose in a 2015 case brought before a three judge bench of the Indian Supreme Court challenging the legal validity of the Government of India’s Aadhaar program.  Under the Aadhaar program, the Unique Identification Authority of India (UIDAI), an Indian government authority, is charged to assign a twelve digit unique identification number (UID) to each of the over 1.3 billion residents of India.  Each resident’s UID is linked to certain biometric information of the resident including his/her photograph, fingerprints and iris scans.  The UIDs are used by the government for a variety of purposes including to eliminate fraud in connection with the dispensing of benefits under various government welfare programs.  The three judge bench in the Aadhaar case determined that to assess the case appropriately, a determination of whether the right to privacy is a fundamental right protected by the Constitution of India was required by a larger bench of Indian Supreme Court justices.  Given that the 1954 case of M.P. Sharma et al. v. Satish Chandra, District Magistrate, Delhi et al. holding that privacy is not a right guaranteed by the Indian Constitution was decided by an eight judge bench, a larger bench of nine Supreme Court justices was convened to determine whether the rationale of the M.P. Sharma judgment and others which similarly found that the Indian Constitution does not guarantee a right of privacy was based on “jurisprudential correctness.”  This bench of nine justices of the Indian Supreme Court listened to arguments presented over six long days spread over three weeks. Continue Reading

A Year in Review: FTC Data Privacy Actions and its Impacts on 2017 and Beyond

Whether it means taking a prominent role shaping data security for the Internet of Things, or addressing high profile breaches, the FTC has adopted an active position in policing data privacy and security. And, as data becomes increasingly digital in its form and protections, data security is of paramount importance for all types of intelligence—whether financial, medical, or otherwise sensitive.  The Commission’s emphasis on these areas has not slowed, even as the composition of the Bureau of Consumer Protection changes under a new administration.  The FTC’s actions over the past year reflect that Commission’s continued emphasis on data privacy and its recent data privacy settlements have provided companies with a trail of breadcrumbs from which they can extract lessons learned and help avoid potential FTC scrutiny.

Continue Reading

The Health Care Industry Cybersecurity Task Force Prompts HHS to Issue a Revised HIPAA Breach Reporting Tool

Congress established the Health Care Industry Cybersecurity Task Force (the “Task Force”) in the Cybersecurity Act of 2015 (the “Act”) to address the challenges the health care industry faces when securing and protecting itself against cybersecurity incidents.  While all health care delivery organizations have a responsibility to secure their systems and patient data, many organizations face significant resource constraints, which hinders their ability to do so.  As a result, the public has seen an increase in ransomware attacks and large privacy breaches, which inevitably affects patient care.

Continue Reading

Update on FCC Privacy Rules

We previously reported on the FCC’s 2016 Privacy Order, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” impacting Internet service providers’ data privacy practices and obligations and the corresponding timeline for compliance. Intervening events, however, have made the rules imposed by the 2016 Privacy Order moot. On June 26, 2017, the FCC adopted a new order providing guidance on reinstating the pre-2016 Privacy Order regulations. This order was issued pursuant to a joint resolution of Congress under the Congressional Review Act, signed by the President on April 3, 2017, disapproving the FCC’s 2016 Privacy Order. As a result, the 2016 Privacy Order has “no force or effect.” FCC Chairman, Ajit Pai, stated that the purpose of the new order is to “simply make clear that the privacy rules that were in effect prior to 2016 are once again effective.”

Continue Reading

LexBlog