Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

2014 Mobile Privacy and Security Trends and What to Look for in 2015

Posted in Mobile Privacy

Most analysts and commentators agree that 2014 was the year mobile reached a tipping point.  With over 1 billion mobile smartphones in circulation, 2014 marked the first year that mobile Internet usage surpassed desktop use in the U.S. This trend will continue as users spend more time on mobile apps than on the Web. Mobile traffic climbed to record levels last year, with users checking their mobile devices an average of 150 times a day. Mobile commerce grew dramatically, much faster than desktop e-commerce, and is projected to reach $293 billion in the U.S. by 2018. And just as important, a growing number of consumers are experiencing a “mobile mind shift” to an expectation of real-time, location-driven, context-specific user experience and engagement.

It is no surprise, then, that 2014 may also have been the year that consumer concern about mobile privacy and data security finally caught up to consumers’ wide acceptance and use of the platform. As we have written about previously, Uber’s recent privacy debacle is but the latest example of companies that came under intense consumer and regulatory scrutiny in 2014 for their privacy failings. Last year  also saw an extraordinary number of data breaches, including the disclosure by JPMorgan Chase of an issue that may have affected up to 76 million households and 7 million small businesses, many of whom were mobile banking customers.

The ink is barely dry on 2015 and data privacy and security have already jumped to the forefront of our national conversation. Last week, President Obama announced two proposed federal data privacy and security bills. The week before, FTC Chairwoman Edith Ramirez warned at the Consumer Electronics Show of the privacy and data security risks of the Internet of Things. Mobile’s inexorable march – be it through apps or the IoT – will continue to demand more and more attention from lawmakers and regulators as privacy and security concerns grow.

Continue Reading

Dear Lawmakers, Your New Breach Notice Laws Should Address These Issues

Posted in Breach Notification, Data Breach Notification Laws

The days of companies being so afraid of the reputational impact of a breach that they would look for any way possible to avoid disclosure are gone.  The pendulum has swung in the opposite direction.  Now companies, often in the name of being “completely transparent” with their customers, want to disclose incidents as soon as possible (sometimes even before they know whether a “breach” actually occurred).  The immediate disclosure “instinct” companies are developing is, in part, due to the number of incidents being disclosed.  There certainly seems to be safety in numbers—there were significant breaches disclosed in 2014 that received much less attention than they likely would have if they had been disclosed prior to December 2013.  The continuous news cycle of incident reports has awakened the reactive cycle of new breach notification law proposals.  The new proposals, like their predecessors that were not enacted, are not paired with any empirical data of why new or expanded laws are needed and they often borrow heavily from existing laws that have obvious flaws.

Industry groups and even companies that faced highly-publicized security incidents have joined the call for a national breach notification law.  The lure of a national law is having one standard instead of 47 state laws and potentially overlapping federal laws and guidance for financial institutions and health care entities.  In practice, the differences across state law rarely make a difference in how a company responds to an incident.  Unauthorized acquisition of a file containing names and Social Security numbers by an attacker triggers a notification obligation in every state law.  But as states have expanded the definition of “personal information”—with some now applying to maiden names, dates of birth, or credentials to access online accounts—the differences have continued to increase.

Continue Reading

New York Attorney General Announces Proposal to Revamp State Data Security Laws

Posted in Breach Notification, Data Breach Notification Laws

On January 15, 2015, New York Attorney General Eric Schneiderman indicated that he plans to propose legislation to update New York’s information security laws, including by revising the definition of “private information” under the state’s data security breach notification statute. Schneiderman’s proposal comes on the heels of President Obama’s January 13, 2015, unveiling of measures further to his 2011 Cybersecurity Legislative Proposal, including a plan to create a national data breach notification standard aimed at “simplifying and standardizing the existing patchwork of … state laws … into one federal statute.”

Notably, Attorney General Schneiderman’s proposed changes to New York’s security breach notification law would expand the definition of “private information” to encompass:

  • email addresses (in combination with either the password or security question and answer);
  • medical information (including biometric information); and
  • health insurance information.

Continue Reading

Tanya Forsheit Discusses Current Issues in Data Privacy and Security with California Lawyer

Posted in Privacy

The “2015 Roundtable Series” in the January edition of California Lawyer includes comments from Partner Tanya Forsheit on data privacy and security. The article reports:

Law and precedents surrounding data privacy and security are mounting in jurisdictions across the country and around the world, putting conflicting pressures on businesses and their attorneys. Meanwhile, practitioners are advising clients on litigation over data breaches, on how to improve and implement policies for “data privacy hygiene,” and on how to insure themselves against cyber risks. California Lawyer moderated a conversation on these and related issues among Tanya Forsheit of BakerHostetler; Simon J. Frankel and Lindsey L. Tonsager of Covington & Burling; and Erik S. Syverson of Raines Feldman. The roundtable was reported by Connie Martin Dunne with Barkley Court Reporters.

Read the article

International Privacy — 2014 Year in Review — EU

Posted in International Privacy Law

While the last refrains of “should old acquaintance be forgot” fade away from New Years’ Eve celebrations, 2014 may be remembered as the year of the “right to be forgotten” in light of an EU privacy ruling last May. Below we cover that ruling and other significant events from 2014 — an eventful year in privacy in the EU.

  • The Right to Be Forgotten

The right to be forgotten ruling dates back to a 2010 complaint by a Spanish citizen against a Spanish newspaper, Google Spain, and Google Inc. The citizen complained that under the EU’s 1995 Data Protection Directive (the Directive), an auction notice of his repossessed home on Google’s search results infringed his privacy rights because the proceedings concerning him had been resolved.

The matter was referred to the Court of Justice of the European Union (Court of Justice), and a ruling was issued on May 13, 2014. The decision held that search engines are “data controllers” under the Directive and, as such, must provide data subjects with the right to be forgotten. This allows an individual to request that search engines remove links and URLs derived from a search based on the person’s name. The right is not absolute but is subject to, among other conditions, a case-by-case assessment to consider the type of information in question and the interest of the public in having that information.  Continue Reading

Fernando Bohorquez Participates in Compliance Week Podcast: Navigating the Pitfalls of Geolocation Data

Posted in Mobile Privacy

The media recently reported that app-based ride sharing service Uber misused the company’s real-time location feature to track customers without their consent. Photo-sharing app Snapchat recently faced a complaint from the Federal Trade Commission because its privacy policy claimed it did not collect location-based information when it actually did. In light of these incidents, Partner Fernando Bohorquez participated in Compliance Week’s December 22nd podcast, “Navigating the Pitfalls of Geolocation Data,” in which he discusses how companies can navigate the potential risks of geolocation data, incorporate the FTC’s “privacy-by-design” standard, and stay out of trouble with regulators and privacy advocates alike.

Listen to the Podcast

Paul Karlsgodt Named 2014 Law360 MVP for Privacy

Posted in Privacy Class Actions

Second straight year a BakerHostetler privacy attorney named to MVP list

BakerHostetler is proud to announce that Partner Paul Karlsgodt has been named a Privacy MVP by national legal publication Law360. He is one of only five attorneys nationwide selected for this honor. As the leader of BakerHostetler’s national Class Action Defense team, Karlsgodt is recognized for his strong consumer class action background and for his ability to navigate cutting-edge areas of law in high-profile data breach and privacy matters in a multitude of industries, including healthcare, insurance, retail, and telecommunications. Paul is the second attorney in as many years to be named to the list, following Privacy and Data Protection team co-leader Ted Kobus in 2013. BakerHostetler is the only law firm recognized by Law360 for having two different MVPs in the privacy category. The publication named BakerHostetler’s Privacy and Data Protection team as a “Practice Group of the Year” in 2013 and 2014, and the Class Action Defense team as a “Practice Group of the Year” in 2014. Read more >>

2014 Information Governance Year in Review

Posted in Information Governance

2014 has been perhaps the biggest year Information Governance (“IG”) has seen. A relatively small and, if not unknown, at least undefined field only a few years ago has grown into an area of interest—and concern—to many organizations. The continued growth of data, the escalating threat of data breaches, the amazing ability to collect and analyze immense databases of personal information (the “Big Data” effect), the rising costs of electronic discovery, and new laws and regulations addressing privacy and security have all combined to underscore the importance of proper IG practices to organizations’ well-running—and the need to address related risks as well.

The Continued Debate over “What Is IG?”

Despite a continued dialogue regarding IG, the definitions still vary, and what IG is and what IG truly encompasses still generate lively debate. For example, the Information Governance Initiative (“IGI”) defines IG as “the activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.” The Association of Records Managers and Administrators (“ARMA”) provides more detail when defining IG as “a strategic framework composed of standards, processes, roles, and metrics that hold organizations and individuals accountable to create, organize, secure, maintain, use, and dispose of information in ways that align with and contribute to the organization’s goals.” And Gartner, a premier information advisory company in its own right, suggests that IG is the “specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.” These definitions all encompass the same basic ideas concerning the management of information but seem to emphasize different principles or aspects of IG.

Continue Reading

FTC $19 Million Settlement with Google: Unauthorized In-App Charges Are Not Child’s Play

Posted in COPPA, Mobile Privacy

The FTC recently approved a final Order resolving allegations that Google unfairly billed customers millions of dollars for unauthorized charges made by children using mobile apps downloaded from the Google Play app store. Under the settlement, first announced in September, Google will provide full refunds to consumers charged for purchases of items within mobile apps (“in-app purchases”) without their consent. Google must provide at least $19 million in customer refunds and remit the balance to the FTC if refunds do not reach that amount.

The FTC’s complaint alleged that Google, which began offering in-app purchases through the Google Play app store in 2011, did not have any protection to prevent unauthorized in-app purchases until mid-2012, when it added a password prompt. This, according to the FTC, constituted deceptive and unfair trade practices in violation of Section 5 of the FTC Act. The FTC found Google’s 2012 addition of password protection to be insufficient, however, since the prompt did not display the amount to be charged to the account and did not inform consumers that entry of a password would start a 30-minute window in which charges could be made without reentering a password.

Continue Reading

What’s on the Horizon in the Golden State?

Posted in Breach Notification, Cybersecurity, Data Breach Notification Laws, Marketing, Online Privacy

As we near the turn of the year into 2015, organizations should keep an eye on laws taking effect on the West Coast. This year, the crop of new privacy statutes includes a few without precedent anywhere in the country. The focus? Kids and security. Following are a few examples of new California laws taking effect January 1 that will have an impact on the private sector and schools.


SB 568: This post will self-destruct in five seconds. Continue Reading