The Weekly Privacy Rewind

Data Breaches

Comcast’s Xfinity Service Potentially Exposes Addresses and Partial SSNs of More Than 26.5 Million Customers

• According to security researcher Ryan Stevenson, alleged vulnerabilities in the system Comcast Xfinity uses to verify users’ identities could have allowed an attacker to learn those users’ home addresses and partial Social Security numbers.

• After being informed of the issues, Comcast patched the alleged vulnerabilities.

• According to a Comcast spokesperson, Comcast “quickly investigated these issues and within hours … blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. [Comcast has] no reason to believe these vulnerabilities were ever used against Comcast customers.”

Continue Reading

Department of Justice Releases Attorney General’s First Cyber-Digital Task Force Report

The Department of Justice recently released its comprehensive assessment of cyber threats in the United States, titled “Report of the Attorney General’s Cyber-Digital Task Force.” The Report is the result of the establishment of the Attorney General’s Cyber-Digital Task Force by the Department in February 2018. Attorney General Jeff Sessions directed the Task Force to answer two questions:

  1. How is the Department responding to cyber threats?
  2. How can federal law enforcement more effectively accomplish its mission in this important and rapidly evolving area?

Continue Reading

Not Too Early to Start to Prepare for New California Privacy Law

In late June, the California legislature signed into law Assembly Bill 375 (AB 375) as the California Consumer Privacy Act of 2018 (CCPA), a privacy law, unprecedented in the U.S., that grants California residents a broad range of European-like rights when it comes to their personal information (PI), effective Jan. 1, 2020. To be able to comply on the effective date, businesses will need to start record-keeping no later than Jan. 1, 2019, and likely will need to complete data mapping prior to that. Data inventorying and management vendors are scrambling to update their platforms to enable businesses to do so, and the cost of such solutions is projected to be significant – $50,000 to $100,000 a year. Given that processing an average of 138 credit cards a day, or having an average of 138 unique website visits a day, or a combination thereof and other data collection, is enough to draw a business under the scope of the law, all but the smallest businesses will need to comply. There are also certain obligations and liabilities for certain types of service providers processing the data of a regulated business, and other third parties.

Continue Reading

Ohio Law Offers Safe Harbor to Companies Meeting Cyber Standards

Ohio will soon have a law in place that provides a “legal safe harbor” from tort claims related to a data breach, to entities that have implemented and comply with certain cybersecurity frameworks. It remains to be seen whether any entity will ever be in a position to take advantage of the affirmative defense this law offers. Below is a summary of the key provisions, followed by comments on why the safe harbor is likely the equivalent of a really small umbrella in a downpour.

The legal safe harbor comes from amendments to Ohio law from Senate Bill 220, which was signed into law by Ohio Governor John Kasich on August 3, 2018, and will take effect 90 days after it is provided to the Ohio Secretary of State.

Continue Reading

The Weekly Privacy Rewind

Federal Trade Commission

Federal Trade Commission Asks for Ability to Fine Companies for Privacy Violations

• Speaking before the U.S. House of Representatives’ Subcommittee on Digital Commerce and Consumer Protection, the commissioners of the Federal Trade Commission (FTC or Commission) said Congress needs to pass new laws to allow the FTC to fine companies that violate consumer’s privacy rights, as well as allow the Commission greater flexibility to amend its own rules to address potential violations.

• At the same time, Chairman Joseph Simons recognized a “trade off between privacy and data security and competition,” noting that the Commission is “nervous that if [the FTC does] privacy in one way and go[es] too far [in] one direction, [it will] reduce competition.”

Continue Reading

HHS Releases Interim Guidance on Authorizations for Research

The Department of Health and Human Services (HHS) recently released interim guidance on sufficiency of authorizations for future uses or disclosures of protected health information (PHI) for research purposes.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) permits covered entities and business associates to use or disclosure PHI only as permitted by the Privacy Rule or as authorized in writing by the information’s owner or that person’s personal representative. The 21st Century Cures Act, enacted in 2016, sought, in part, to improve accessibility to medical information for research purposes. It mandated HHS issue guidance on how to allow for this improved access while still protecting patients’ rights under HIPAA.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Macy’s Faces Suit After Disclosing Data Breach

• Retail giant Macy’s notified its customers and state regulators of a data breach affecting the accounts of online shoppers. The breach occurred between April 26 and June 12, 2018.

• Only two days after receiving notice, online Macy’s shoppers filed a putative class action complaint in the U.S. District Court for the Northern District of Alabama against the retailer because of the breach.

• Alleging negligence and violations of Alabama’s Deceptive Trade Practices Act, the suit requests an injunction against Macy’s from its allegedly “wrongful conduct,” including “refusing to issue prompt, complete and accurate disclosures” as well as actual, compensatory and statutory damages, and statutory penalties.

Continue Reading

California Passes Groundbreaking Data Privacy Law Granting Consumers Expansive Privacy Rights

California has passed an unprecedented privacy law that protects consumers’ rights by providing them with a greater degree of transparency and choice with respect to their personal information online. On June 28, 2018, Assembly Bill 375 was signed into law by Gov. Jerry Brown as the California Consumer Privacy Act of 2018 (CCPA) just hours after it was passed by the California legislature. The CCPA makes significant changes to consumer privacy protection rights for Californians, marking the advent of a new era. Below is an overview of the new law.

Who Is Regulated by the CCPA:

The CCPA will regulate “Businesses,” defined as for-profit entities that have gross revenue in excess of $25 million; or that annually buy, receive for the business’ commercial purposes, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or, that derive 50 percent or more of its annual revenues from the sale of consumers’ personal information. Continue Reading

California Passes Law Protecting Consumers’ Online Privacy

On June 28, 2018, California lawmakers passed Assembly Bill 375 and Gov. Jerry Brown signed it into law as the California Consumer Privacy Act of 2018, a privacy law that grants consumers a range of rights with respect to their personal information online. This marks the advent of a new era of consumer privacy protection that will have the force of law in the U.S. As we previously reported here, AB 375 was proposed as an alternative to an initiative that was expected to be on the November ballot. Now that AB 375 has passed, the initiative has been pulled from the ballot. This outcome is a win for both industry and consumers. The initiative was well-intentioned but deeply flawed in many ways, and it would have hurt both consumers and industry. Digital media evolves, and the legislature needs to be free to regulate based on current facts. The initiative would have locked in concepts that do not work well today. With the passing of AB 375, there is the ability to work out the details of the law. This is not to say that the status quo will be maintained for industry; the Act changes the landscape of privacy practices in California markedly.

For a summary of AB 375, see our chart here. For more information, see our blog posts here and here.