Showing 6 posts from September 2016.
Yahoo has (not surprisingly) been hit with multiple consumer class action claims relating to its massive data breach. It is unclear exactly when Yahoo uncovered the 2014 breach; news reports characterize the find as "recent." Yahoo also has said that it is cooperating with law enforcement, which could help offset any issues tied to a delay of announcement.
The massive breach of accounts at Yahoo revealed on September 22, 2016, brings several thoughts to mind:
- The purchase of Yahoo by Verizon Wireless has not yet closed. Any companies undergoing diligence on the M&A front should account for this kind of issue (Yahoo's breach occurred several years ago) as part of the value and process of the transaction.
On September 13, 2016, the New York Attorney General announced settlements with four major US toy and media companies regarding their use of online tracking of children who use their websites. Viacom, Inc. (Nickelodeon), Hasbro, Inc. (My Little Pony), and Mattel, Inc. (Barbie, Hot Wheels, American Girl) are among the companies fined a collective $835,000 for violating the Children's Online Privacy Protection Act (COPPA).
Entrepreneurs and angel investors often ask whether an investment in a particular start-up will qualify as “qualified small business stock” for purposes of Section 1202 of the Internal Revenue Code (the “IRC”).
IRC Section 1202 creates a powerful incentive for investors to invest in qualified small business stock. If all the requirements of Section 1202 apply, an investor may exclude from income between 50% and 100% of the gain the investor realizes upon a qualifying sale of that small business stock that the investor has held for five years or more. In other words, under some circumstances, the investor’s gain can be tax-free!
The EU/US Privacy Shield, which governs transfers of personal information from the EU to the US, is now effective and available to US companies for self-certification. Any US company that wants to self-certify its compliance with Privacy Shield protections may do so now; and any company that does so before September 30 will have nine months to get its downstream data processing contracts in order.
Compliance and self-certification involve publishing a new privacy statement and a statement to the Department of Commerce, both of which must set forth information about a company's compliance with several fundamental principles:
- Notice and Choice about how an EU individual's personal information is shared with third parties,
- Access to that information for correction or deletion,
- Security undertakings regarding that information,
- Data Integrity and Limited Purpose use regarding such information,
- Recourse to independent dispute mechanisms by aggrieved EU data subjects, and
- Accountability for "onward transfer" of EU data to third parties.
The process of self-certification is fairly straightforward and may be a good idea for companies formerly covered by the Safe Harbor. Any company that collects, processes or uses data from the EU may want to consider Privacy Shield self-certification.
For companies that do wish to certify, there is a grace period of nine months to become compliant with the "onward transfer" principle if certification is made before the end of this month. That would allow a certifying company time to put in place a compliant contract procedure for vendors who may process data (procurement, purchasing, customer relations, for example) via downstream contracts.
There is no deadline for self-certification, which can be elected at any time; but the grace period is one-time-only as the Privacy Shield is taking effect.
A federal court ruling this week contributes to the confused state of which US agencies may regulate behavior of ISPs relating to the Internet. The Ninth Circuit has held that the Federal Trade Commission (FTC)—the nation's fair advertising watchdog—may not police ISP performance claims put forth by AT&T. The reason? AT&T is a "common carrier," a public utility historically regulated by the Federal Communications Commission (FCC) rather than the FTC. The rub, though, is that the two agencies generally have split jurisdiction, with ad claims falling squarely to the FTC regardless what industry produced the ad in question.
This ruling appears to signal that common carrier ads, i.e. those of any FCC-regulated communications utility, cannot be challenged by the FTC. That opens up a lot of fights about who is a common carrier and which aspects of their business, operations versus advertising, may be policed by which agency. Such uncertainty is unwelcome for companies playing in the fast-moving Internet field: not knowing whose standards apply and how is a real business challenge. It also makes it hard to know where consumers should go with a complaint.
- Current Events
- Employee Accomodation
- Corporate and Business
- Product Liability
- Data Privacy
- Data Security
- Government Investigations
- Limited Government
- FAST Act
- JOBS Act
- Intellectual Property
- Public Policy
- Social Media
- Employment Issues
- Non-Profit Organizations
- Due Process
- Political Philosophy
- Risk Avoidance
- Risk Management
- Regulation A+
- In-House Counsel
- Renewable Energy Around the Web
- Mergers and Acquisitions
- Real Estate
- Teresa E. Adams
- Deborah A. Ausburn
- Kyle M. Baker
- Jonathan D. Crumly Sr.
- Glianny Fagundo
- Julian A. Fortuna
- Randy C. Gepp
- Katie Heron
- Mitzi L. Hill
- Bryan F. Jacoutot
- Donald S. Kohla
- Lauren Marlow
- Jan G. Marsh
- LaTise Miller
- Christina L. Moore
- Gregory G. Schultz
- Michele L. Stumpe
- Jonathan B. Wilson