To compile data for the report, the EU’s Article 29 Data Protection Working Party conducted a sweep of 478 of the most frequently visited websites in the e-commerce, media, and public sectors in eight EU Member States. The sweep targeted websites in these sectors because they likely pose the greatest risk to data protection and privacy for European citizens. The cookie sweep consisted of two stages: (1) a statistical review of cookies used by the websites and their technical properties; and (2) an in-depth manual review of cookie information and consent mechanisms. The study recorded each website’s cookie notification method, the visibility and quality of cookie information provided, and the mechanism offered for users to express consent. Continue Reading
On January 27, 2015 the Federal Trade Commission (the “FTC”) issued a report detailing best practices and recommendations that businesses engaged in the Internet of Things (“IoT”) can follow to protect consumer privacy and security. The IoT refers to the connection of everyday objects to the Internet and the transmission of data between those devices. According to Gartner estimates the IoT services spending will reach $69.5 billion in 2015. The potential benefits of IoT growth include enhanced healthcare through connected medical devices, convenience and cost savings through home automation and improved safety and convenience through connected cars.
By Rochelle Emert and Phillip Caraballo-Garrison
On February 3, 2015, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert that summarized its findings about cybersecurity preparedness in the securities industry. As part of its Cybersecurity Examination Initiative, the OCIE collected and analyzed information about cybersecurity practices and trends from over 100 registered investment advisers and broker-dealers. Proskauer discussed the OCIE study and its key findings in a client alert located here. With the OCIE stating that it will continue to focus on cybersecurity issues through 2015, registered investment advisers and broker-dealers should evaluate their cybersecurity policies and procedures in consideration of the OCIE findings.
Authors: Roger Cohen, Paul Hamburger, Kristen Mathews, Ellen Moskowitz, Richard Zall
Anthem Inc. (Anthem), the nation’s second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies. Continue Reading
On January 23, 2015, Senior Attorney Lesley Fair at the Federal Trade Commission (“FTC”) posted on the Agency’s business blog clarifying how the Children’s Online Privacy Protection Act (“COPPA”) applies to schools. COPPA seeks to protect the privacy of children by allowing parents to control what personal information about their children under the age of thirteen may be collected by “operators” of websites or online services, including apps, that are either directed to children or that knowingly collect personally identifiable information from children. Subject to certain regulatory exceptions, the entities covered by COPPA must notify parents and obtain consent before collecting, using, or disclosing any personal information from children under thirteen. Continue Reading
Big or small, all bank accounts are susceptible to hijacking and fraudulent wire transfers. Banks ordinarily bear the risk of loss for unauthorized wire transfers. Two independent frameworks exist to govern these transfers: the Electronic Fund Transfer Act (“EFTA”) for consumer accounts, and Article 4A of the Uniform Commercial Code (“UCC”) for business accounts.
While the EFTA will ordinarily shield consumers from having to pay for most unauthorized charges as long as they provide notice to their bank, UCC §4A-202 shifts the risk of loss to the customer if the bank can show that (1) a commercially reasonable security procedure was in place and (2) the bank accepted the payment order in good faith and in compliance with the security procedure and any other written agreement or customer instruction.
The commercial reasonability of a security procedure is a question of law, and courts will consider several factors, including:
- Customer instructions expressed to the bank
- The bank’s understanding of the customer’s situation, including the size, type, and frequency of payment orders ordinarily issued
- Alternative security procedures offered to the customer
- Security procedures in general use by similarly situated banks and customers.
In addition, a security procedure will be found commercially reasonable if the customer selected it after refusing a security procedure that was commercially reasonable for the customer’s needs.
Like many federal statutes, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains a provision governing how the statute is designed to interact with similar or otherwise related state laws. When this type of provision is used to override or supplant similar state laws, the provision is called “preemptive.” On November 11, 2014, the Connecticut Supreme Court held in Byrne v. Avery Center For Obstetrics and Gynecology, P.C. that state law negligence claims are not preempted by HIPAA even where the plaintiff relies on HIPAA to establish the applicable standard of care. In so holding, the Court Continue Reading
With paywalls and premium subscriptions finding only modest success, paid advertisements remain the primary means of generating revenue from online content. Native advertising has emerged as a leader in the competition for ad impressions and brand engagement. Expected to grow from $7.9 billion in spending this year to $21 billion by 2018, native advertising is lauded as the future of online advertising. Continue Reading
A few months after the European Court of Justice ruled on May 13, 2014 that search engines are considered personal data controllers under the EU Data Protection Directive of 1995 and, as such, should provide data subjects with a right to be forgotten, a French Tribunal enforced this principle in X & Y v. Google France.
In a summary proceeding on September 16, 2014, the Paris Tribunal (Tribunal de Grande Instance) held that Google must erase from its search engine, under penalty of €1,000 per day, all links leading to defamatory content published on Facebook (see attached judgement: TGI Paris – Ordonnance du 16 septembre 2014). Continue Reading
With the new year just around the corner, retailers should make a resolution to learn more about EMV technology. That’s because 2015 is slated to be the year EMV technology makes significant inroads in the United States, and retailers need to be prepared. In this post, we answer some frequently asked questions about what the introduction of this new standard means for retailers and the steps they must take in order to prepare for the widespread adoption of this new technology. Continue Reading
The Court hearing the Target data security breach litigation issued a ruling on December 2, 2014, largely denying Target’s motion to dismiss the Consolidated Amended Class Action Complaint in the Financial Institutions Cases. In his decision, Judge Magnuson found that Target owed the issuer banks a duty to protect customer data from hackers, a determination that was based on allegations that Target played a “key role” in allowing the break-in to occur by intentionally disabling one of the security features that would have prevented the harm. Decision at 5. At issue in the case is whether Target should be held responsible for the costs incurred by the issuer banks as a result of fraudulent charges and to replace customers’ credit and debit cards.
The importance of the decision is that it provides banks with a legal basis to seek to hold merchants financially responsible for the costs of data breaches if the facts suggest the merchants’ data security systems were deficient.
Of course, this is just the first round in the litigation and the banks will still need to prove their case before imposing liability on Target. That said, this decision is surely a sign of things to come and we will continue to mind the store and report on developments.
The Article 29 Working Party, which is composed of representatives of DPA’s from every European country, has recently rendered an opinion (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf ) on data privacy issues surrounding the development of the “Internet of Things” (IoT), which includes wearable computing, quantified self devices, and domotics. Although such data is generated by “things” or devices, it is considered personal data because it may enable the life pattern of a specific individual to be discerned. After identifying the major privacy issues raised by such devices, the Article 29 Working Party made a series of recommendations to IoT stakeholders. Continue Reading