In a move that may strike fear into the hearts of mobile phone owners everywhere, the Sixth Circuit recently ruled that a person’s “pocket dials” – those inadvertent calls made from a person’s mobile phone, generally when the phone is in its owner’s pocket, and alternatively referred to as “butt dials” – may not be entitled to an expectation of privacy. Continue Reading
4th Time is Not a Charm: Android Users Plead Themselves Out of Court
Finding that the Plaintiffs lacked Article III standing to pursue their case, Google, Inc. (“Google”) won dismissal of the Android users’ putative class action lawsuit after more than three years of litigation. In re Google Inc. Privacy Policy Litigation, No. 12-01382 (N.D. CA July 15, 2015). The Android users had claimed that Google violated its own privacy policy by disclosing personal information to third parties without permission. Continue Reading
Connecticut Updates its Data Security Laws, Imposing Stringent New Requirements
On June 30, 2015, the Governor of Connecticut signed into law S.B. 949, “An Act Improving Data Security and Agency Effectiveness.”[1] The new law updates Connecticut’s data security laws, including by adding a 90-day hard deadline for data breach reporting, requiring companies in some cases to offer data breach victims a year of free identify theft prevention services, imposing new and specific data security program requirements on health insurance companies and other entities subject to Insurance Department regulation, and requiring state agencies to impose certain detailed security requirements on state contractors that maintain personal information. With a near constant stream of data breaches affecting entities from health insurers to retail giants to the government, the law responds to growing fears of data security.
Under the new law, beginning October 1, 2015, a data breach will require any person or entity conducting business in Connecticut to give notice “without unreasonable delay,” but now no later than 90 days after discovery of the breach, to state residents whose personal information was breached or reasonably believed to have been breached. The Connecticut Attorney General stated in a press release that 90 days is an “outside limit” that does not diminish his discretion to take action against entities who “unduly delay” notification.[2] Importantly, the law also requires the provision of at least twelve months of free identity theft prevention and mitigation services, but only in cases where Social Security numbers are breached or reasonably believed to have been breached.
In addition, no later than October 1, 2017, health insurers, pharmacy benefit managers and certain other entities regulated by the Connecticut Insurance Department must implement and maintain a “comprehensive information security program” to protect personal information. While the requirements generally track HIPAA obligations that will likely already apply to these entities, the new requirements go further, for example by requiring encryption of all personal information transmitted on a public Internet network or wirelessly, encryption of all personal information stored on a portable device, specified secure authentication and access protocols, and imposition of disciplinary measures for employees who violate the security policies or procedures. Under the security program, the entities must also prevent terminated, inactive, or retired employees from accessing personal information.
New requirements with respect to state contractors will also take effect. Beginning in July 2015, state agencies must require in every written agreement that private contractors implement and maintain a “comprehensive data-security program.” Among other requirements, contractors will be prohibited from storing data on stand-alone devices (such as flash drives or laptop notebooks) unless expressly permitted to do so in the state contract, and contractors, not the State, must bear any added expense associated with implementing the data security program. In addition, the written agreement must stipulate how costs of data breach notification will be allocated between the state agency and the contractor.
With respect to enforcement, the Attorney General continues to have authority over data breach notification. The Act also newly empowers the Attorney General to bring civil suit against a contractor in breach of the new comprehensive data-security program law, while the Secretary of Office Policy and Management may require contractors to take additional security protections where the type and amount of information warrants such protection. With respect to health insurance entities, the Insurance Commissioner will enforce the new data security requirements.
Companies doing business in Connecticut or contracting with the State of Connecticut should carefully review the added data security and breach notification measures and consider whether revisions of current policies are necessary to comply with the state’s stringent new requirements.
Special thanks to Proskauer summer associate Krista L. White for her contributions to this post.
[1] S.B. 949 (Ct. 2015).
[2] “Statement from AG Jepsen on Final Passage of Data Breach Notification and Consumer Protection Legislation,” Connecticut Office of the Attorney General, http://ct.gov/ag/cwp/view.asp?A=2341&Q=566508 (last visited July 13, 2015).
Supreme Court Invalidates Los Angeles Law Authorizing Warrantless Searches of Hotel Records
In City of Los Angeles v. Patel, the Supreme Court invalidated a Los Angeles law that allowed law enforcement officials to inspect hotel and motel guest registries at any time, without a warrant or administrative subpoena. The Court ruled that the law violated hotel owners’ Fourth Amendment rights because it “penalizes them for declining to turn over their records without affording them any opportunity for pre-compliance review.”
In reaching its decision, the Court also announced two findings with implications for future lawsuits brought under the Fourth Amendment:
- Facial challenges to statutes are permitted under the Fourth Amendment
- Hotels and motels do not fall under the “pervasively regulated” exception to the warrant requirement
In the E.U., Where to Bring Suit When the Subject is Data and the Defendant is a U.S. Company? Hint: It’s About More Than Just Location
When are U.S. social media companies subject to European data privacy laws? As we reported in 2013, the answer is often contingent on geographic location – where the relevant data is processed. In 2013, for example, a German court ruled that Facebook was not subject to German data protection laws because the relevant data was processed in Ireland, not Germany.
However, in 2014, a different German court at the same level found, in a separate case, that Facebook could be subject to German data protection laws, finding that the relevant data was processed outside the E.U. in the United States rather than Ireland.
But geography isn’t everything. As an Austrian court decision last week makes clear, the location of data processing is not the only potential hurdle for would-be plaintiffs bringing suit against U.S. companies in the E.U. The Vienna Regional Court dismissed a case against Facebook, not because of national borders, but because of the identity of the plaintiff and how he used his Facebook accounts. Continue Reading
Connecticut Joins States That Protect Personal Online Accounts of Employees
Connecticut has joined a list of twenty-one states with a statute designed to preserve the privacy of personal online accounts of employees and limit the use of information related to such accounts in employment decision-making. Legislation directed to online privacy of employees has also passed this year in Montana, Virginia, and Oregon, and such legislation is pending in a number of other states. Continue Reading
EU Data Privacy Updates
A brief rundown of developments in recent weeks in the area of EU data protection law:
EU Data Protection Regulation
On Monday, June 15, the EU Council (comprised, for purposes of data protection reform, of the justice ministers from each of the EU member states) reached an agreement on a draft data protection regulation, marking an important milestone in the ongoing effort to reform and modernize data protection law in the EU. (This development follows the European Commission’s publication of a proposed regulation in January 2012 and the European Parliament’s official agreement to a “compromise” version in March 2014.) Beginning this week, these bodies will begin negotiations to reconcile the three versions with a stated goal of promulgating a final regulation by the end of the year. The regulation will replace the 1995 Data Protection Directive and, once it comes into force, will apply directly in each of the EU member states, creating greater uniformity across the EU in respect of data protection standards.
Check back here next week for an overview of the key differences (and, thus, areas for negotiation) among the positions promulgated by the Commission, Parliament and Council.
Safe Harbor
As we recently reported, the US and EU continue to negotiate reforms to the US-EU Safe Harbor. It was announced earlier in June that progress is being made, and one EU official told the Wall Street Journal at that time that US officials were being given “another month” to address the EU’s concerns. As we’ve reported in the past, US government access to personal data appears to remain a sticking point.
Concurrent with these negotiations, the European Court of Justice (“ECJ”) also has been considering a broad challenge to the Safe Harbor in the case of Schrems v. Facebook Ireland Ltd. The plaintiff in that case has argued that, given the NSA/Snowden revelations, the Safe Harbor (upon which Facebook—like many other US-based companies—relies to transfer and hold users’ personal data in the US) could not provide adequate protection as a matter of EU law. The ECJ is considering, among other questions, whether a data protection authority can investigate an individual’s claim that the US does not adequately protect data transferred from the EU or whether it must accept as a matter of law that Safe Harbor compliance means data is adequately protected. The case has the potential to have far-reaching effects if the ECJ were to reach the merits of the sufficiency of the Safe Harbor program (as opposed to simply addressing whether the Irish data protection authorities may investigate and/or punting in light of the ongoing reform negotiations). An opinion was originally scheduled to be issued on June 24, 2015, but it was disclosed last week that the opinion will be delayed, and no new publication date has yet been announced.
**This post also appears on Proskauer’s International Labor and Employment Law Blog.**
