EU-U.S. Privacy Shield Framework Joint Annual Review 2.0

As we previously reported here, the Federal Trade Commission (FTC) announced several enforcement actions in late 2017, on the eve of the first annual joint EU-U.S. review of the Privacy Shield Framework. Now the second annual review of the EU-U.S. Privacy Shield Framework is underway, and the FTC has announced several new enforcement actions, which are meant to highlight the importance of the framework and reaffirm the U.S.’s commitment to strong privacy enforcement.

Continue Reading

GDPR Spurring Legal Reforms in South America With New Legislation in Brazil

As organizations continue to grapple with the requirements of the EU General Data Protection Regulation (GDPR) even months after its effective date, one thing is clear: The impact of the regulation extends far beyond an organization’s European operations. The global effects of the GDPR are even more apparent when one surveys new and proposed data protection legislation around the world. On Aug. 14, 2018, Brazil signed into law the Lei Geral de Proteção de Dados Pessoais (LGPD), the first omnibus privacy law in the nation’s history. The law, which is set to take effect on Feb. 16, 2020, is very similar to the GDPR, including in its expansive definition of personal data and its strong emphasis on both the rights of data subjects and the requirement of lawful bases of processing of personal data.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Plaintiffs Seek Approval for $4.3 Million Settlement With Sonic in Credit Card Data Breach Suit

• Following a variety of lawsuits against fast food chain Sonic Drive-In related to a 2017 credit card data breach, plaintiffs are seeking consolidation of those suits, class certification and a $4.3 million settlement.

• The settlement would create a nationwide class of Sonic diners affected by the breach, each of whom would receive $10 if they used their credit or debit cards at the store, or $40 if they experienced fraudulent or unauthorized charges.

• The plaintiffs argued that the settlement is fair when balanced with the risks of further litigation.

Continue Reading

Broker-Dealer and Investment Adviser Agrees to Settle SEC Enforcement Action Arising From a Data Security Incident

The U.S. Securities and Exchange Commission (SEC) recently announced a consent order settling an enforcement action brought by the SEC against Voya Financial Advisors Inc. (VFA) in connection with a data security incident that occurred in 2016. VFA is a registered broker-dealer and investment adviser with the SEC. The order memorializes the SEC’s agreement to accept $1 million in settlement of the charges alleging that VFA violated both the SEC’s “Safeguards Rule” and “Identify Theft Red Flags Rule.” This was the SEC’s first enforcement action under the Identity Theft Red Flags Rule.

As background, over a six-day period in April 2016,  fraudsters impersonating VFA independent registered representatives called VFA’s support line and requested a reset of three representatives’ passwords to VFA’s web portal used to access VFA customer information. VFA reset the passwords, provided temporary passwords over the phone for all three representatives and provided the representatives’ user names to the fraudsters for two of the impersonated representatives. Within three hours of the first fraudulent reset request, one of the actual representatives called VFA to report that he just received an email notifying him that his password was reset and that he had not requested this action. In response, VFA began to implement containment measures, but the actors were still able to obtain credentials to log in to the portal and access personally identifiable information (PII) for more than 5,600 customers. The actors were also able to set up new VFA customer accounts in VFA’s web portal. The investigation that ensued found that there were no unauthorized transfers of funds or securities by the actors (or known cases of identity theft). VFA had also previously been subject to a similar attack between January and March of the same year, where fraudsters utilized some of the same phone numbers and techniques impersonating representatives as in the April 2016 event. Additionally, one of the representatives targeted in the April 2016 event was targeted in this previous incident.

Continue Reading

FDA Regional Incident Preparedness and Response Playbook Provides Guidance to the Healthcare Industry for Large-scale, Multi-patient Medical Device Cybersecurity Incidents

Earlier this month, the Mitre Corporation, on behalf of the Food and Drug Administration (FDA), released the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook (the Playbook) as part of the FDA’s ongoing efforts to protect patients from cybersecurity vulnerabilities associated with the use of medical devices. The Playbook highlights high-profile cybersecurity attacks, including the WannaCry and Petya/Not Petya attacks, and the need for preparation for handling large-scale incidents involving medical devices. The Playbook’s primary audience includes healthcare delivery organizations, clinicians, healthcare technology management professionals, risk managers, facilities staff and information technology personnel involved with emergency response and preparedness. The Playbook provides preparedness and response recommendations for large-scale, multi-patient medical device cybersecurity issues that impact the functionality of a device and patient safety, and recommends that medical device cybersecurity incidents be included as part of the overall incident response plan.

The Playbook focuses on regional medical device cybersecurity incident preparedness and response, and developing regional partnerships to draw upon the expertise across a “region” to help ensure that patient safety is maintained. The Playbook also provides guidance for all phases of medical device incident response, including preparedness, detection and analysis, containment, eradication, recovery, and post-activity analysis. The Playbook is available here.

SEC Investigation Highlights BEC Risk and Need for Comprehensive Risk Assessments by Public Companies

The Securities and Exchange Commission issued a press release and an investigative report on Oct. 16 cautioning public companies to consider cyber threats when implementing internal accounting controls. The report stems from the SEC’s investigation of nine companies that lost between $1 million and $100 million each in so-called business email compromise (BEC) frauds, in which attackers take over accounts on a company’s email system and use that access to trick company personnel into paying large sums to bank accounts controlled by the attackers. The attackers often divert funds intended for employees, contractors or vendors, and the SEC’s report notes that the frauds sometimes last months and are only detected when law enforcement intervenes or the real payee complains that payments never arrived.

Continue Reading

California Legislature Cracks Down on Advertising Bots Involved in Commercial Transactions and Influencing Voters in Elections

Bot or real person? – a question most online users probably don’t ask themselves when interacting online or seeing how many followers a person has on a social media platform. Most likely, online users don’t know whether they are talking to a “bot,” especially if they think they are communicating on or browsing an interactive site. This lack of transparency may be due to the fact that there is currently no enacted law that relates to the disclosure of the use of automated bot accounts on social media.

Continue Reading

The Weekly Privacy Rewind


Medline and Con Tech Lighting Latest Illinois Employers Hit With Claims under BIPA

• Two Illinois employers, Con Tech Lighting and Medline Industries, are the latest to face claims alleging violations of Illinois’ Biometric Information Privacy Act.

• In the Con Tech complaint, the named plaintiff, who is seeking class certification, alleges that she was never informed “the specific limited purposes or length of time” for which her biometric information “would be collected, stored or disseminated.” The complaint seeks statutory damages of $5,000 for each willful or reckless violation and $1,000 for each negligent violation of BIPA.

• The complaint against Medline, which also seeks class certification, alleges that the plaintiff, who is no longer employed by the company, has been unsuccessful in getting the company to respond to her attempts to understand whether it maintained her fingerprints after she left the company. According to the complaint, the “[p]laintiff would not have provided her fingerprints to defendant had she known that defendant would retain such information for an indefinite period of time without her consent.”

• Both cases were filed in Cook County Circuit Court.

Continue Reading

The Ninth Circuit Wades Into the “Autodialer” Fray and Creates a Circuit Split. TCPA Litigants Await FCC Guidance

What constitutes an autodialer or “automatic telephone dialing system” (ATDS) under the Telephone Consumer Protection Act (TCPA) is in flux.

Under the statute, an “automatic telephone dialing system” is defined as “equipment that has the capacity” to “store or produce telephone numbers to be called, using a random or sequential number generator,” and “to dial such numbers.” 47 U.S.C. § 227(a)(1).

Continue Reading

California Delays Privacy Law Enforcement and Congress Is Lobbied to Pre-empt the Law

This summer California enacted, effective Jan. 1, 2020, the California Consumer Privacy Act (CCPA), a privacy law unprecedented in the U.S. that grants California residents a broad range of European-like privacy rights. Amendments passed as SB 1121 on Aug. 31 and signed into law by Gov. Brown on Sept. 23 extend the time for the California attorney general (CaAG) to promulgate regulations to July 1, 2020, push back enforcement until the earlier of that date or six months from issuance of the regulations, and remove the CaAG’s ability to intervene in private lawsuits – changes made at the request of the CaAG. Fortunately for industry, the CaAG’s recommendation that the CCPA’s limited private right of action be expanded was rejected, and language was even added to clarify the limits of consumer lawsuits. The U.S. Chamber of Commerce is lobbying Congress to pass a federal omnibus privacy and data protection law that would pre-empt the CCPA and other existing and future state data protection laws. See its proposal and statement here. The Internet Association, a trade group that represents leading internet companies, has also released a proposed framework for federal legislation. Most recently, on Sept. 24, the Interactive Advertising Bureau, with 650 digital advertising industry members, joined in the calls for a federal omnibus law to pre-empt CCPA in a letter to the Senate committee exploring such a bill.

Continue Reading