On February 3, 2015, European data protection regulators released the Cookie Sweep Combined Analysis Report analyzing how websites use cookies to collect data from European citizens and highlighting noncompliance with Article 5(3) of the EU’s ePrivacy Directive. Among other requirements, this directive mandates that website operators obtain users’ consent for the use of cookies or similar tracking technologies. Notably, the directive purports to reach beyond the borders of European Union to apply to any website directed to or collecting data from European citizens.

To compile data for the report, the EU’s Article 29 Data Protection Working Party conducted a sweep of 478 of the most frequently visited websites in the e-commerce, media, and public sectors in eight EU Member States. The sweep targeted websites in these sectors because they likely pose the greatest risk to data protection and privacy for European citizens. The cookie sweep consisted of two stages: (1) a statistical review of cookies used by the websites and their technical properties; and (2) an in-depth manual review of cookie information and consent mechanisms. The study recorded each website’s cookie notification method, the visibility and quality of cookie information provided, and the mechanism offered for users to express consent.

On January 27, 2015 the Federal Trade Commission (the “FTC”) issued a report detailing best practices and recommendations that businesses engaged in the Internet of Things (“IoT”) can follow to protect consumer privacy and security. The IoT refers to the connection of everyday objects to the Internet and the transmission of data between those devices. According to Gartner estimates the IoT services spending will reach $69.5 billion in 2015. The potential benefits of IoT growth include enhanced healthcare through connected medical devices, convenience and cost savings through home automation and improved safety and convenience through connected cars.

By Rochelle Emert and Phillip Caraballo-Garrison

On February 3, 2015, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert that summarized its findings about cybersecurity preparedness in the securities industry. As part of its Cybersecurity Examination Initiative, the OCIE collected and analyzed information about cybersecurity practices

Authors: Roger Cohen, Paul Hamburger, Kristen Mathews, Ellen Moskowitz, Richard Zall

Anthem Inc. (Anthem), the nation’s second-largest health insurer, revealed late on Wednesday, February 4 that it was the victim of a significant cyber attack. According to Anthem, the attack exposed personal information of approximately 80 million individuals, including those insured by related Anthem companies.

On January 23, 2015, Senior Attorney Lesley Fair at the Federal Trade Commission (“FTC”) posted on the Agency’s business blog clarifying how the Children’s Online Privacy Protection Act (“COPPA”) applies to schools.  COPPA seeks to protect the privacy of children by allowing parents to control what personal information about their children under the age of thirteen may be collected by “operators” of websites or online services, including apps, that are either directed to children or that knowingly collect personally identifiable information from children.  Subject to certain regulatory exceptions, the entities covered by COPPA must notify parents and obtain consent before collecting, using, or disclosing any personal information from children under thirteen. 

Big or small, all bank accounts are susceptible to hijacking and fraudulent wire transfers. Banks ordinarily bear the risk of loss for unauthorized wire transfers. Two independent frameworks exist to govern these transfers: the Electronic Fund Transfer Act (“EFTA”) for consumer accounts, and Article 4A of the Uniform Commercial Code (“UCC”) for business accounts.

While the EFTA will ordinarily shield consumers from having to pay for most unauthorized charges as long as they provide notice to their bank, UCC §4A-202 shifts the risk of loss to the customer if the bank can show that (1) a commercially reasonable security procedure was in place and (2) the bank accepted the payment order in good faith and in compliance with the security procedure and any other written agreement or customer instruction.

The commercial reasonability of a security procedure is a question of law, and courts will consider several factors, including:

  • Customer instructions expressed to the bank
  • The bank’s understanding of the customer’s situation, including the size, type, and frequency of payment orders ordinarily issued
  • Alternative security procedures offered to the customer
  • Security procedures in general use by similarly situated banks and customers.

In addition, a security procedure will be found commercially reasonable if the customer selected it after refusing a security procedure that was commercially reasonable for the customer’s needs.