The Weekly Privacy Rewind

Class Actions

Finkly & Sons Co. Faces Illinois Biometric Information Privacy Act Class Action

• A former employee of steelmaker A. Finkly & Sons Co. filed a putative class action against the company in Cook County, Illinois, for violations of the Illinois Biometric Information Privacy Act (BIPA).

• The case alleges the company violated BIPA by inappropriately collecting biometric data in the form of handprints for a timekeeping program without obtaining prior consent of employees, and it seeks damages of up to $5,000 per violation.

Continue Reading

OCR Announces Intention to Move Forward With Development of Methodology to Distribute Enforcement Funds to Victims of HIPAA Violations

The Office for Civil Rights (OCR) updated its agenda, outlining proposed and final rules as well as pre-rule document releases for 2018. A notable, and highly anticipated, advance notice of proposed rulemaking included on the agenda indicates OCR will seek comments on establishing a way to distribute funds collected from Health Insurance Portability and Accountability Act (HIPAA) enforcement actions to individuals harmed by the underlying incident. This would fulfill a long-awaited and overdue requirement included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which required OCR to issue regulations about this methodology within three years of HITECH’s 2009 enactment date. The agenda indicates this advanced notice of proposed rulemaking will be released sometime in November 2018.

Continue Reading

11th Circuit Issues Opinion Vacating Order That Required LabMD to Overhaul Its Data Security Program

On June 6, the 11th Circuit issued its long-awaited decision on LabMD Inc. v. Federal Trade Commission, vacating as unenforceable the Federal Trade Commission’s (FTC’s) cease and desist order that required LabMD to create and implement a variety of protective measures with respect to data security. Notably, however, the decision did not address the most important issue in the case: LabMD’s contention that the FTC lacks jurisdiction to enforce allegations that inadequate data security constitutes an unfair act or practice under Section 5 of the FTC Act (15 U.S.C. § 45(a)).

In 2005, a billing manager at LabMD downloaded the peer-to-peer file-sharing application LimeWire, inadvertently enabling the sharing of some files, including one that contained the personal information of 9,300 consumers. In 2008, an entity specializing in data security found this file and attempted to use it to pitch its data security services to LabMD. After negotiations between the data security vendor and LabMD fell through, in 2009, the data security vendor shared the file with the FTC, prompting a lengthy investigation. In August 2013, the FTC issued an administrative complaint against LabMD, alleging that its failure to provide reasonable and appropriate security for personal information on its computer networks amounted to an unfair act or practice. Continue Reading

The Weekly Privacy Rewind

Canada

Canadian Banks Notify 90,000 Following Breach

• Bank of Montreal and Canadian Imperial Bank of Commerce announced that they were contacted by hackers and informed that nearly 90,000 customers’ personal information was accessed.

• The banks will notify customers of the breach and indicate they believe they have fixed the vulnerabilities that led to the breach.

EU/GDPR

Privacy Activist Accuses Tech Companies of Violating GDPR

• Privacy activist Max Schrems recently filed complaints against several tech companies, including Facebook, WhatsApp and Instagram, for allegedly violating GDPR’s consent requirement for users to accept a company’s privacy policy.

• Schrems alleges that the tech companies forced users to accept their privacy policy or face expulsion from use of their services.

• These cases will be some of the first to be litigated under the new GDPR since the law went into effect on May 25, 2018.

Continue Reading

New Jersey Attorney General’s Office Ramping Up Data Privacy and Cybersecurity Enforcement Efforts

The Office of the New Jersey Attorney General (AG’s Office) recently announced that it will be creating a new civil enforcement unit, known as the Data Privacy & Cybersecurity Section (DPC Section), to investigate data breaches impacting New Jersey residents and to enforce federal and state data privacy and cybersecurity laws. New Jersey’s AG joins an expanding list of state AGs, including those of California, Connecticut, Indiana, Maryland, Massachusetts, New York, and North Carolina, who are dedicating more resources to data breach investigation and enforcement actions.

Continue Reading

Colorado Enacts Sweeping Changes to Data Breach Reporting Requirements and Adds New Data Security Requirements

Colorado’s Gov. John Hickenlooper signed a bill that significantly strengthens its current data breach notification requirements and adds new measures designed to enhance protections for consumer data privacy. The new law will go into effect on Sept. 1, 2018.

Disposal of personal identifying information

As previously discussed here (while the bill was in committee), HB18-1128 creates more stringent requirements regarding the disposal of personal information. Under C.R.S.A. § 6-1-713, all “covered entit[ies] in the state that maintain[] paper or electronic documents during the course of business that contain personal identifying information” will be required to develop a written policy for the destruction or disposal of such information once such documentation is “no longer needed.”

Continue Reading

Arizona Expands Its Data Breach Notification Statute

Effective August 1, 2018, the House Bill 2154 recently signed by the Arizona governor will expand the current Arizona data breach notification law. Following the trend of other states, the amended statute expands the definition of “personal information.” The law will now require individual and regulatory notification within 45 days of a breach and will expand the risk of harm provision to not require individual or regulatory notification if it is determined the breach is unlikely to result in substantial economic loss to affected individuals.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Facebook Users BIPA Suit to Go Forward

• Denying cross-motions for summary judgment, the U.S. District Court for the Northern District of California ruled that the class action against Facebook for violating Illinois’ Biometric Information Privacy Act (BIPA) will proceed to trial.

• According to the Court, the “voluminous submissions underscore the multitude of fact disputes that bar judgment as a matter of law for either side. That is particularly true for plaintiffs’ motion, which effectively asks for entry of judgment in their favor on a record that they concede is often unsettled.”

• Trial is scheduled for July 9, 2018.

Continue Reading

California Voters Likely to Decide Consumer Privacy Rules

California has a unique ballot initiative process that allows voters to directly pass legislation, and it appears that proponents of an initiative that could impact digital advertising and apply European Union (EU)-inspired consumer privacy protections – including opt-out consent to broad categories of data use and sharing – have obtained enough signatures to place the measure on the November ballot.

Continue Reading

The Weekly Privacy Rewind

Class Actions

Liquor Store Chain Binny’s Is Latest Target of BIPA

• In a putative class action complaint filed in Cook County Circuit Court, employees of Illinois liquor store chain Binny’s Beverage Depot alleged the company violates Illinois’ Biometric Information Privacy Act.

• Among Binny’s alleged BIPA violations are failing to obtain consent before using employees’ fingerprint for timekeeping purposes, failing to obtain consent before disseminating such biometric data to third parties and failing to maintain lawful data-retention practices.

Continue Reading

LexBlog