Privacy Law Blog

New York DFS Cybersecurity September 2018 Deadline

The New York Department of Financial Services cybersecurity regulation 23 NYCRR 500 (the “Regulation”) came into effect in March 2017 and established four staggered compliance deadlines for its various requirements.

By the third deadline of September 3, 2018, Covered Entities are required to be in compliance with sections 500.06 (audit trails), 500.08 (application security), 500.13 (limitations on data retention), 500.14(a) (training and monitoring), and 500.15 (encryption of nonpublic information). Continue Reading

General Data Protection Regulation and Charitable Organizations FAQs

In the context of enforcement of the European General Data Protection Regulation (“GDPR)[1] on May 25, 2018, charitable organizations have showed an increased concern as to whether the GDPR applies to them, and what being subject to the GDPR means. Continue Reading

The California Consumer Privacy Act of 2018

This has been a big year in the data protection world, with the headline-grabbing General Data Protection Regulation (GDPR) occupying most of the spotlight with its plethora of privacy-related requirements and potential for high fines for violators. While companies (justifiably) may be focused on the GDPR at the moment, it’s also important to keep an eye on new privacy laws on the horizon in order to avoid last-minute scrambles for compliance as effective dates near. Foremost among these new laws is the California Consumer Privacy Act of 2018. The Act was introduced and signed quickly in order to prevent voters from facing a similar ballot initiative in the November election. This post provides an overview of the new law, which will go into effect beginning January 1, 2020. Continue Reading

Lessons from the SEC’s First Cyber-Disclosure Enforcement Action

The SEC’s new Cyber Unit released its first cyber-disclosure enforcement action. We recently authored an article on the key takeaways of the SEC’s new cybersecurity initiatives.

Read the full New York Law Journal article here.

Blockchain, Personal Data and the GDPR Right to be Forgotten

The effective date of the EU’s General Data Protection Regulation (GDPR) is fast approaching (May 25, 2018), and its impacts are already being felt across various industries. Specifically, the conflicts between the GDPR and the technical realities of blockchains raise important legal considerations for companies seeking to implement blockchain solutions that involve the personal data of EU data subjects.

Read the full post on our Blockchain and the Law blog.

D.C. Circuit’s Long-Awaited Ruling Narrows FCC’s 2015 TCPA Order

On March 16, 2018, the D.C. Circuit Court of Appeals released a long-awaited decision in ACA International, et al. v. FCC, unanimously ruling to narrow a 2015 Federal Communications Commission (FCC) order (the “2015 Order”) that expanded the scope of the Telephone Consumer Protection Act (TCPA).

The TCPA is a federal law that governs marketing to telephones (including text messages) and fax machines, as well as the use of automatic telephone dialing systems (referred to as autodialers or ATDSs). The TCPA generally prohibits the use of an autodialer to call or text wireless telephone numbers without prior consent. The FCC is the federal agency charged with interpreting the TCPA and issuing rules implementing the TCPA. Since there is a private right of action under the TCPA and the potential amount of statutory damages is high (for example, as much as $500-$1,500 for each text per plaintiff), TCPA litigation continues to plague companies.

This ruling is significant because it will affect the many district court cases considering the issue of what constitutes an autodialer that were stayed in anticipation of the D.C. Circuit’s ruling.

The Court’s Ruling

In its ruling, the D.C. Circuit addressed four issues:

  1. Which sorts of automated dialing equipment are subject to the TCPA’s restrictions on unconsented calls;
  2. When a caller has obtained a party’s consent, does a call nonetheless violate the TCPA if, unbeknownst to the caller, the consenting party’s wireless number has been reassigned to a different person who has not given consent;
  3. How a consenting party may revoke her consent; and
  4. Whether the FCC too narrowly fashioned an exemption from the TCPA’s consent requirement for certain healthcare-related calls.

With respect to the first issue, the D.C. Circuit struck down the 2015 Order’s clarification of what constitutes an autodialer. The TCPA defines an autodialer as equipment that has the capacity (1) to store or produce telephone numbers to be called, using a random or sequential number generator, and (2) to dial such numbers. In the 2015 Order, the FCC stated that a device’s “capacity” is not limited to its current configuration and includes “potential functionalities” such as modifications and the addition of software. The court rejected the FCC’s broad construction, noting that such a construction “would appear to subject ordinary calls from any conventional smartphone to the [TCPA’s] coverage, an unreasonably expansive interpretation of the statute.”  According to the court, under the FCC’s rule, “any uninvited call or message from the device is a statutory violation,” and thus conventional smartphone users could face a $500 penalty for calling a person without first getting consent to contact them. The D.C. Circuit also examined whether a device qualifies as an autodialer only if it can generate random or sequential numbers to be dialed. The court explained that the 2015 Order gives no clear answer to this question, leaving affected parties “in a significant fog of uncertainty.” Thus, the FCC’s expansive interpretation in the 2015 Order of when a device has the “capacity” to perform the functions to qualify as an autodialer failed to satisfy the requirements of reasoned decisionmaking.[1]

With respect to the second issue, the court vacated the FCC’s approach to calls made to a phone number that, although previously assigned to a person who had given consent, has since been reassigned to another nonconsenting person. In the 2015 Order, the FCC concluded that such calls violate the TCPA but granted  a one-call, post-reassignment safe harbor. The D.C. Circuit held that this one-call safe harbor is arbitrary and capricious because the FCC did not explain why it was no longer reasonable to rely on the prior express consent after just one call or message. (In fact, the FCC conceded that the first call may not give a caller notice of a reassignment.) Therefore, the court set aside the FCC’s treatment of reassigned numbers as a whole.

With respect to the third issue: The 2015 Order allowed parties to revoke their consent through any “reasonable means” that clearly express a desire to receive no further messages from the caller. Petitioners challenged the FCC’s refusal to implement standardized revocation procedures that would provide more certainty. The D.C. Circuit upheld this allowance, noting that the petitioners’ concerns were overstated.

With respect to the fourth issue, the court sustained the scope of the FCC’s exemption for non-telemarketing, time-sensitive, healthcare-related calls. Petitioners challenged this exemption on grounds that it restricts communications that were otherwise permissible under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and is arbitrary and capricious. The court rejected these arguments, reasoning that there is no obstacle to complying with both HIPAA and the TCPA. While HIPAA prohibits covered entities and their business associates from using or disclosing protected health information, they are generally permitted to use or disclose that information for treatment, payment or healthcare operations. Additionally, the court did not find the exemption to be arbitrary and capricious.

Significance and Impact of the Ruling

Prior to the 2015 Order, the majority of federal courts adopted the “current capacity” test when considering the issue of whether “capacity” requires an actual, present capacity to function as an autodialer without modification. This test was rejected by the FCC in the 2015 Order. Petitioners’ appeal to the D.C. Circuit challenged the FCC’s interpretation in the 2015 Order. Because district courts are bound by the FCC’s orders in TCPA cases, many district courts stayed cases considering the issue of what constitutes an ATDS, awaiting the D.C. Circuit’s order in this case. With respect to the two issues for which the court set aside the FCC’s interpretation (what constitutes an autodialer, and treatment of reassigned numbers), the court did not replace the FCC’s interpretation with its own interpretation, leaving courts considering these issues with limited guidance. We will continue to watch TCPA cases and how they are affected by the D.C. Court’s order.


[1] The D.C. Circuit assessed whether the FCC’s actions in the 2015 Order were “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law,” and applied the two-step Chevron framework to examine whether Congress has spoken to the precise question at issue, and, if not, whether the agency’s answer is based on a permissible construction of the statute. Arbitrary-and-capricious review inquires whether the agency engaged in reasoned decisionmaking.

South Dakota Passes Breach Notification Law, Leaving Alabama the Only U.S. State Without a Breach Notification Law

On March 21, 2018, South Dakota Governor Daugaard signed S.B. 62, enacting the state’s first data breach notification law, which will go into effect July 1, 2018. Previously, Alabama and South Dakota were the only U.S. states without data breach notification. As of July 2018, Alabama will be the last state without a data breach notification law, though this may soon change. The District of Columbia and three U.S. territories – Guam, Puerto Rico and the U.S. Virgin Islands – also have data breach notification laws in place.

South Dakota’s law requires that any person or business that conducts business in South Dakota and owns or licenses computerized “personal information”[1] or “protected information”[2] of the state’s residents (such persons/businesses referred to as “information holders”) disclose any “breach of system security” to any South Dakota resident whose personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.

The law gives information holders a sixty-day window (from date of discovery or notification of the breach) to notify individuals, unless law enforcement determines that the notification should be delayed. However, if the information holder holds an appropriate investigation, reasonably determines that the breach will not likely result in harm to the affected residents and notifies the South Dakota attorney general of its determination, then the information holder is not required to notify affected residents.

Additionally, information holders must notify (1) all consumer reporting agencies and (2) if the breach affects over 250 South Dakota residents, the South Dakota attorney general. This consumer reporting agency notification obligation is unique, as most state breach notification laws only require such notification if a high number of residents, for example 500 or 1,000 residents, are affected.

The law provides the state Attorney General (and, potentially, affected residents) with imposing remedies. A violation of the breach notification law is considered a deceptive act or practice under South Dakota Codified Laws (“SDCL”) § 37-24-6, South Dakota’s consumer protection law. The South Dakota attorney general may (1) “prosecute each failure to disclose” under the breach notification law’s provisions as a deceptive act or practice under SDCL § 37-24-6, (2) impose a civil penalty of up to $10,000 per day per violation and (3) avail himself of any of the remedies provided under chapter 37-24 of SDCL. South Dakota Attorney General Jackley reportedly stated that failure to be notified under the breach notification law entitles affected residents to a private right of action under SDCL § 37-24-31.

[1] “Personal information” is defined as a person’s name in combination with any of the following: (a) Social Security numbers, (b) driver’s license numbers or other government-issued unique identification numbers, (c) account, credit card or debit card numbers, in combination with any required code, PIN or information that would permit access to a person’s financial account, (d) health information as defined by HIPAA, and (e) employee identification numbers in combination with any code or biometric data required for authentication.

[2] “Protected information” is defined as (a) user names and email addresses in combination with any associated passwords or security question answers which would provide access to online accounts, and (b) account, credit card or debit card numbers in combination with any required code or password that permits access to a person’s financial account. Please note that (b) overlaps with part of the definition of “personal information,” but not completely.