The Weekly Privacy Rewind

Class Actions

Facebook Users BIPA Suit to Go Forward

• Denying cross-motions for summary judgment, the U.S. District Court for the Northern District of California ruled that the class action against Facebook for violating Illinois’ Biometric Information Privacy Act (BIPA) will proceed to trial.

• According to the Court, the “voluminous submissions underscore the multitude of fact disputes that bar judgment as a matter of law for either side. That is particularly true for plaintiffs’ motion, which effectively asks for entry of judgment in their favor on a record that they concede is often unsettled.”

• Trial is scheduled for July 9, 2018.

Continue Reading

California Voters Likely to Decide Consumer Privacy Rules

California has a unique ballot initiative process that allows voters to directly pass legislation, and it appears that proponents of an initiative that could impact digital advertising and apply European Union (EU)-inspired consumer privacy protections – including opt-out consent to broad categories of data use and sharing – have obtained enough signatures to place the measure on the November ballot.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Liquor Store Chain Binny’s Is Latest Target of BIPA

• In a putative class action complaint filed in Cook County Circuit Court, employees of Illinois liquor store chain Binny’s Beverage Depot alleged the company violates Illinois’ Biometric Information Privacy Act.

• Among Binny’s alleged BIPA violations are failing to obtain consent before using employees’ fingerprint for timekeeping purposes, failing to obtain consent before disseminating such biometric data to third parties and failing to maintain lawful data-retention practices.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Google Seeks Dismissal of BIPA Class Action

• Google has sought dismissal of a putative class action lawsuit alleging violations of Illinois’ Biometric Information Privacy Act (BIPA).

• According to the original complaint, Google allegedly violated BIPA by scanning photos of nonusers uploaded to Google Photos and then “extracting geometric data” of the subjects of those photos, creating facial templates, or so-called faceprints.

• In its motion to dismiss, Google argued that the putative class representatives do not have standing because “there is no evidence of data breach; no evidence of disclosure to third parties; and no evidence of misuse of any data.”

Continue Reading

Deeper Dive: Using Response Time Metrics to Drive Incident Response Preparedness & Response Improvement

One of the most important metrics in our report is the incident response (IR) timeline, which tracks the average time it takes companies to detect, contain, fully investigate, and provide notification of the incident to individuals. The metric is valuable because it helps entities identify areas where they can improve before an incident occurs and gives them context to response time expectations during an incident.

Continue Reading

Last but not least: Alabama enacts a data breach notification law with strong notification and security requirements

Several weeks ago, South Dakota and Alabama became the final two states to enact data breach notification laws. The Alabama Data Breach Notification Act of 2018 takes effect on May 1, 2018, and imposes information security, breach notification and data disposal requirements on organizations handling Alabama residents’ personal information.

Alabama requires organizations to implement and maintain reasonable security measures

Alabama joins a minority of states that mandate security controls; its new law requires organizations that acquire or use personal information (“covered entities”) to protect the information with “reasonable security measures.” To guide organizations and regulators, the statute lists several considerations to help identify reasonable security measures, including whether the organization has designated an individual to coordinate its security measures, tailored security measures to an appropriate assessment of the organization’s risk scenarios and kept its management informed of the security measures. A reasonableness assessment must also consider the organization’s size, the amount of sensitive data it uses and how it uses it, and the cost to implement certain measures, and should focus on failures that are “multiple or systemic.” The statute also requires organizations to properly dispose of sensitive data that is no longer required to be retained pursuant to applicable law, regulations or business needs. Notably, however, the statute’s civil penalty provisions apply only to violations of the notice requirements discussed below. Continue Reading

Canadian Breach Notification Requirements Take Effect November 1

On April 18, 2018, the Canadian government published long-awaited Breach of Security Safeguards Regulations specifying the requirements for notifying the Office of the Privacy Commissioner and affected individuals of data breaches that pose a “real risk of significant harm.” The Regulations will come into force on November 1.

As we previously reported, the Digital Privacy Act, which amended Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) to include a mandatory breach notification requirement, became law nearly three years ago. The Regulatory Impact Analysis Statement accompanying the Regulations indicates that the timing of their release last week may have been motivated in part by a desire to bring Canadian standards in line with the forthcoming EU General Data Protection Regulation, which takes effect on May 25. Certain stakeholders, including the Privacy Commissioner, advocated immediate implementation of the Regulations, citing the “lengthy period of consultations on the Regulations and the frequency of data breaches involving the information of Canadians” as well as “the need to align the Regulations more closely with those of the breach reporting requirements of the GDPR given that many Canadian organizations must comply with both Canadian and European law.”

Continue Reading

Deeper Dive: Forensics

A company’s ability to quickly and effectively conduct a forensic investigation is often critical to limiting the impacts of a data security incident, determining the scope of the incident and developing an effective communications plan. In BakerHostetler’s 2018 Data Security Incident Response Report, we analyzed over 560 data security incidents that we worked on in 2017. A forensic investigation was conducted in 41 percent of those incidents, which represents a 7 percent increase from 2016, showing that more companies are realizing the benefits of engaging outside forensic firms. For incidents involving network intrusions, forensic investigations were conducted in 65 percent of these matters. Network intrusions are often complex investigations requiring specialized forensic tools and expertise that many organizations do not have internally. The average cost of a forensic investigation in 2017 was $84,417, which represents a 35 percent increase from 2016 (but is still lower than the 2015 average cost of $102,806). However, the increase in average cost is primarily due to the number of large, complex network intrusion investigations we handled in 2017. For the 20 largest forensic investigations we handled in 2017, the average cost of forensics was $436,938.

Continue Reading

The Weekly Privacy Rewind

Data Breaches

Portable Oxygen Device Maker Inogen Announces Data Breach

• Inogen Inc., which makes portable oxygen devices, reported to the U.S. Securities and Exchange Commission that it experienced a data breach that involved approximately 30,000 current and former customers.

• According to the company’s Form 8-K, sometime between Jan. 2 and March 14, unauthorized individuals gained access to an employee’s email account, which contained personal information belonging to Inogen oxygen rental customers.

• Inogen “is notifying approximately 30,000 current and former customers of this incident and will provide resources, including credit monitoring and an insurance reimbursement policy, to assist them.”

Continue Reading

U.S. Senate Duo and California Ballot Initiative Propose to Radically Alter U.S. Consumer Internet Privacy and Upend Digital Advertising

Amid growing concerns over the improper use of user information and data breaches, and in the same week as the Senate examines the Cambridge Analytica controversy, a duo of U.S. senators who have long advocated for federal consumer privacy legislation seized the moment to propose a bill that would give the Federal Trade Commission (FTC or Commission), for the first time, the authority to promulgate regulations to govern internet publishers’ and service providers’ privacy practices regarding adults and proposes seemingly European Union (EU)-inspired privacy protections, including opt-in consent to broad categories of data use and sharing. If passed, the law, and the FTC regulations to be promulgated under it, could radically alter the internet economy by making it significantly harder for publishers to monetize data to provide more relevant advertising to users, so-called interest-based advertising (IBA), which is the economic underpinning of the business model of the publishers and services that provide their content and services to users for free on an advertiser-supported basis. The proposal actually goes further in some ways than EU law, in that it would prohibit limiting services to users who consent to data use and sharing necessary for IBA, and would give the FTC the authority to determine whether pricing based on “discounts or other incentives in exchange for express affirmative consent” is “reasonable.” Although scores of prior attempts by Congress to pass broad federal consumer privacy legislation have gone nowhere, the circumstances of the moment may have created a tipping point. And even if a federal consumer privacy law fails to get through Congress, a California advocacy group is attempting to qualify a ballot initiative for EU-style privacy laws for the November general election that could also threaten ad-supported digital media.

Continue Reading

LexBlog