Showing 22 posts in In-House Counsel.
In a case of first impression, the Eleventh Circuit has held that an employer need not show an interruption of service to prove actionable harm under the Computer Fraud and Abuse Act (CFAA) and other federal laws. This is good news for employers and potentially for others who suffer computer intrusions.
Yahoo has (not surprisingly) been hit with multiple consumer class action claims relating to its massive data breach. It is unclear exactly when Yahoo uncovered the 2014 breach; news reports characterize the find as "recent." Yahoo also has said that it is cooperating with law enforcement, which could help offset any issues tied to a delay of announcement.
On September 13, 2016, the New York Attorney General announced settlements with four major US toy and media companies regarding their use of online tracking of children who use their websites. Viacom, Inc. (Nickelodeon), Hasbro, Inc. (My Little Pony), and Mattel, Inc. (Barbie, Hot Wheels, American Girl) are among the companies fined a collective $835,000 for violating the Children's Online Privacy Protection Act (COPPA).
The EU/US Privacy Shield, which governs transfers of personal information from the EU to the US, is now effective and available to US companies for self-certification. Any US company that wants to self-certify its compliance with Privacy Shield protections may do so now; and any company that does so before September 30 will have nine months to get its downstream data processing contracts in order.
Compliance and self-certification involve publishing a new privacy statement and a statement to the Department of Commerce, both of which must set forth information about a company's compliance with several fundamental principles:
- Notice and Choice about how an EU individual's personal information is shared with third parties,
- Access to that information for correction or deletion,
- Security undertakings regarding that information,
- Data Integrity and Limited Purpose use regarding such information,
- Recourse to independent dispute mechanisms by aggrieved EU data subjects, and
- Accountability for "onward transfer" of EU data to third parties.
The process of self-certification is fairly straightforward and may be a good idea for companies formerly covered by the Safe Harbor. Any company that collects, processes or uses data from the EU may want to consider Privacy Shield self-certification.
For companies that do wish to certify, there is a grace period of nine months to become compliant with the "onward transfer" principle if certification is made before the end of this month. That would allow a certifying company time to put in place a compliant contract procedure for vendors who may process data (procurement, purchasing, customer relations, for example) via downstream contracts.
There is no deadline for self-certification, which can be elected at any time; but the grace period is one-time-only as the Privacy Shield is taking effect.
The officials working to replace the recently-invalidated data transfer Safe Harbor have in place a handshake deal.
The full details are not yet public, but presumably will be disclosed before the deadline of January 2016 for US businesses to comply with EU data protection laws.
The Savannah Economic Development Authority (SEDA) is making Georgia an even more attractive place to shoot films, starting in 2016. This is a boost to an industry that didn't exist in Georgia in a big way until about 10 years ago, but that has grown rapidly: filmed entertainment brought about $6 billion to Georgia in 2014.
Data security is a multi-part process for most organizations. Today's installment of cyber hygiene habits for 2015 reminds us that updating software is a critical step in securing our networks.
This fourth installment in our cyber hygiene series will discuss the importance of hardware upgrades in maintaining corporate data security. As with all the best practices we recommend in this series, the idea behind protection is to avoid incidents where possible, mitigate damage if they occur, and have a defensible position or "storyline" if you suffer a dispute or investigation.
For 2015, we are addressing data security and privacy by discussion of topics relating to information security and hygiene. Parts one and two covered knowledge of what laws cover your business and of what data you have in your networks. This installment covers the human side of data handling: which employees have access to your data, and why.
Showing an increased level of concern for coordination between industry and the public, the U.S. Department of Justice ("DOJ") has issued guidance on cybersecurity risks and the steps that industry and consumers should take to prepare for cybersecurity threats.
The DOJ guidance on cybersecurity is very basic. The guidance is roughly 15 pages long and suggests that businesses familiarize themselves with their information networks and develop a plan for how to respond in the event of a breach in security. (Nothing novel here.)
- Corporate and Business
- Product Liability
- Data Privacy
- Data Security
- Government Investigations
- Limited Government
- FAST Act
- JOBS Act
- Employment Issues
- Intellectual Property
- Public Policy
- Social Media
- Non-Profit Organizations
- Due Process
- Political Philosophy
- Risk Avoidance
- Risk Management
- Regulation A+
- Renewable Energy Around the Web
- In-House Counsel
- Mergers and Acquisitions
- Real Estate