Navigating the State Data Breach Laws? An Enhanced Resource is Available

In large security incidents, the differences among state breach notification laws usually do not come into play. In smaller matters, where individuals in only a few states are potentially affected, the differences sometimes result in having an obligation to notify individuals in some states but not others. And states have been active in amending their notification laws, creating even more differences. Maryland started off 2018 with an amended breach notification law, and Arizona, Colorado, Connecticut, Delaware, Iowa, Louisiana and Oregon followed suit.  Also this year, the final two states without data breach notification laws, Alabama and South Dakota, passed a law.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Judge Approves $80M Settlement in Yahoo Data Breach Suit

• U.S. District Judge Lucy Koh awarded plaintiffs $80 million in a consolidated class action brought against Yahoo by shareholders resulting from data breaches Yahoo experienced in 2014 and 2016.

• According to the suit, Yahoo’s stock was trading at an artificially high price because of the company’s failure to disclose the breaches in a timely fashion.

• This is not the end of litigation related to these breaches, as Yahoo continues to face claims from users.

Continue Reading

New Mexico Attorney General Is Turning Up the Heat on Enforcement of Data Privacy Laws

With the announcement last week of its new lawsuit against several tech companies for violating Children’s Online Privacy Protection Act (“COPPA”), the FTC Act, and New Mexico’s Unfair Practices Act (“UPA”), the State of New Mexico Office of the Attorney General appears to be the latest in an expanding list of state attorneys general who are focusing more on the enforcement of federal and state data privacy and cyber security laws.

Continue Reading

Is a New Federal Data Privacy Law on the Horizon? The Tech Industry Sure Hopes So

Despite several failed attempts in recent years, there is a new effort underway to enact a federal data privacy law, and it’s being led by a somewhat unlikely source – the tech industry. Although they were resistant to a federal privacy law in the past, powerful tech industry players now appear to be publicly embracing such legislation. Last week, several tech industry trade groups and consortia released statements supporting the creation of a national privacy law. In addition, on September 26, 2018, executives of major tech companies are scheduled to testify before the Senate Commerce Committee in a hearing titled “Examining Safeguards for Consumer Data Privacy.”

Continue Reading

The Weekly Privacy Rewind

Class Actions

Hotel Investment and Management Firm Aimbridge Hospitality LLC Removes Putative Class Action to Federal Court

• Hospitality company Aimbridge Hospitality LLC (Aimbridge) removed a putative class action lawsuit by a former laundry attendant that alleged that her personal information was exposed in a March 2018 data breach. The complaint alleged that the putative class members suffered damages related to costs they were required to pay for credit monitoring services resulting from the alleged breach.

• In its filing, Aimbridge claims that the suit is subject to removal under the Class Action Fairness Act because members of the proposed class are diverse from Aimbridge, there are more than 100 possible class members and damages could total more than $5 million.

Continue Reading

The Weekly Privacy Rewind

Class Actions

San Francisco Transit Agency Seeks Approval of Class Action Settlement

• Bay Area Rapid Transit (BART) sought preliminary approval of a class action settlement to resolve claims that the transit agency’s mobile app secretly collected various information about its users, including mobile device ID number and location, even when users are not reporting incidents.

• Under the settlement, BART has agreed to certain injunctive relief, including to not collect information about app users, and will not oppose the named plaintiff’s request for an incentive award of up to $2,500. BART also agreed not to oppose class counsel’s request for attorneys’ fees of up to $57,500.

Data Breaches

Cryptocurrency Investment Platform Atlas Quantum Breached

  • Atlas Quantum, an investment platform that allows users to buy and sell bitcoin and other cryptocurrencies, experienced a data breach that exposed the personal information of approximately 261,000 users.
  • According to the company, although no cryptocurrency was stolen, the breach exposed customers’ names, phone numbers, email addresses and account balances.

AirCanada Mobile App Breach Exposes as Many as 20,000 User Profiles

  • AirCanada recently notified users that “unusual login behavior” on its mobile app from August 22 through August 24 may have allowed an unauthorized user to access as many as 20,000 profiles, potentially exposing names, email addresses, telephone numbers, Known Traveler Numbers, gender, birth dates, nationalities and passport information.
  • According to the company’s notice, no credit card information was exposed, and the risk of a third party fraudulently obtaining a passport in someone’s name is low.

T-Mobile Incident Affects as Many as Two Million Customers

  • Telecom company T-Mobile experienced a data security incident that it described as allowing “unauthorized access to certain information” of as many as two million customers.
  • In the company’s online statement, it disclosed that personal information, including name, billing zip code, phone number, email address, account number and account type, may have been exposed. No financial information or Social Security numbers were involved.

California Amends Landmark Privacy Law Delaying Enforcement and Making Revisions

With only hours left to the 2018 legislative session, the California Legislature has amended the California Consumer Privacy Act of 2018 (CCPA) by passing SB-1121. The legislature was expected to amend the CCPA, which passed in just about one week after it was proposed, in a rush to avoid a different version of the act being finalized as a ballot initiative that would have been on the November ballot. We wrote about that process here and here. A summary of the CCPA as originally passed is here, and recommendations on how to start to prepare are here. Continue Reading

California Consumer Privacy Act: Navigating Consumer Lawsuits & Limiting Remedies

California’s new privacy law, the California Consumer Privacy Act of 2018 (CCPA or act), which goes into effect Jan. 1, 2020, grants California residents (referred to as consumers in the act but not limited to consumers) a wide range of rights in regard to their personal information, broadly defined. To enable compliance with the act, covered businesses will be required to implement data management practices that increase consumers’ transparency and choice. For example, the CCPA requires that a business that falls under the act track personal information collected about consumers and inform consumers of the categories of personal information collected as well as the business and commercial purposes for collection of each category of personal information. In addition, to comply with the CCPA, a business must provide access to and portability of consumer information and delete consumer personal information upon request. For more details on what the CCPA will require, what businesses and data will be covered, and how to prepare for the CCPA, see our prior posts here and here.

Continue Reading

The Weekly Privacy Rewind

Biometric Information Privacy Act

AGCO Corp., Ceridian HMC Inc. and Hegewisch Development Corp. Latest Employers to Face Allegations of BIPA Violations

• Lawsuits against employers for alleged violations of Illinois’ Biometric Information Privacy Act (BIPA) show no signs of slowing, with three more employers, AGCO Corp., Ceridian HCM Inc. and Hegewisch Development Corp., all facing suits in recent weeks.

• The complaints all are very similar, with each alleging that the defendants collected fingerprint information without informing their employees in writing of the purpose for which or length of time the fingerprints would be stored.

• Each suit seeks class certification and statutory damages of $5,000 per violation.

Continue Reading

SB-1121 Does Not Fix the CA Consumer Privacy Act, But Would Delay Enforcement

In response to controversies concerning consumers’ personal information, such as the Facebook/Cambridge Analytica controversy, and a California ballot initiative that qualified for the November ballot and proposed the California Consumer Privacy Act (“CCPA Initiative”), the legislature in California responded with AB-375, which proposed an alternative version of the California Consumer Privacy Act of 2018. The authors of AB-375 worked out a compromise with the sponsors of the CCPA Initiative, and AB-375 was passed and signed by Governor Jerry Brown, becoming the California Consumer Privacy Act of 2018, codified at Title 18.1.5 of the California Civil Code (the “CCPA”). We have written about the CCPA here and here. The CCPA becomes effective January 1, 2020, though practically, businesses will need to start data mapping and recordkeeping on January 1, 2019, to be able to be in compliance upon the effective date. The legislature has already started a process of potentially amending the CCPA through SB-1121, which was originally intended as a different alternative to the CCPA Initiative (“Old SB-1121”). SB-1121 was amended on August 6, 2018, to refine the CCPA (“New SB-1121”).  However, as Santa Clara University School of Law Professor Eric Goldman states in his recent article Recent Developments Regarding the California Consumer Privacy Act, New SB-1121 “represents less than 1% of the obviously needed changes to the bill.” Professor Goldman’s article does a good job of identifying errors and problems that he has collected through crowdsourcing and of summarizing proposed changes that have been submitted to the bill’s authors by leading industry groups led by the Association of National Advertisers (“ANA”)(“ANA Coalition Proposal”), as well as from public interest groups, including the Electronic Frontier Foundation (“EFF”). On August 24 New SB-1121 was further amended (“8/24 Amendment”), adding some additional notable changes such as expanding the carve out of data regulated by federal and state privacy laws for healthcare entities and financial institutions, providing for immediate preemption of local laws, and delaying enforcement of the CCPA by the Attorney General until the earlier of six months from adoption of regulations or July 1, 2020.  A copy of the current bill as of August 24 is here. Unfortunately, even with the August 24 additions, much remains to be fixed and in this post, we point out issues the legislature should address.

Continue Reading