Showing 17 posts in Privacy.
In a case of first impression, the Eleventh Circuit has held that an employer need not show an interruption of service to prove actionable harm under the Computer Fraud and Abuse Act (CFAA) and other federal laws. This is good news for employers and potentially for others who suffer computer intrusions.
On September 13, 2016, the New York Attorney General announced settlements with four major US toy and media companies regarding their use of online tracking of children who use their websites. Viacom, Inc. (Nickelodeon), Hasbro, Inc. (My Little Pony), and Mattel, Inc. (Barbie, Hot Wheels, American Girl) are among the companies fined a collective $835,000 for violating the Children's Online Privacy Protection Act (COPPA).
United States businesses have been on tenterhooks since October, when the European Union's (EU) highest court dismantled a privacy scheme covering trans-Atlantic data transfers. That scheme, the Safe Harbor, was a negotiated solution allowing U.S. businesses to self-certify that they met certain privacy standards, and thereby to avoid dealing with laws and regulators in every individual EU member country. With the dismantling of Safe Harbor, the EU and U.S. have been scrambling to negotiate a replacement.
Earlier this week, the "Privacy Shield" that will replace Safe Harbor was announced. Details are not yet fully available (a draft has not been published), but we know they include periodic review of U.S. practices and promises, the appointment of a U.S. ombudsman, certain individual rights of action for EU citizens who feel their information has been mishandled, and more. As of today, EU member countries say they will hold off prosecuting U.S. companies for privacy violations for at least a few months, pending implementation of the Privacy Shield.
However, U.S. businesses still do not know what the precise legal rules are that apply to their use of data from EU persons (employees, customers, vendors). In light of the uncertainty, and until the Privacy Shield is published along with any guidance from U.S. regulators, any business with trans-Atlantic connections should use caution and should be aware of where its data resides.
The officials working to replace the recently-invalidated data transfer Safe Harbor have in place a handshake deal.
The full details are not yet public, but presumably will be disclosed before the deadline of January 2016 for US businesses to comply with EU data protection laws.
Data security is a multi-part process for most organizations. Today's installment of cyber hygiene habits for 2015 reminds us that updating software is a critical step in securing our networks.
This fourth installment in our cyber hygiene series will discuss the importance of hardware upgrades in maintaining corporate data security. As with all the best practices we recommend in this series, the idea behind protection is to avoid incidents where possible, mitigate damage if they occur, and have a defensible position or "storyline" if you suffer a dispute or investigation.
For 2015, we are addressing data security and privacy by discussion of topics relating to information security and hygiene. Parts one and two covered knowledge of what laws cover your business and of what data you have in your networks. This installment covers the human side of data handling: which employees have access to your data, and why.
The EU high court today struck down the fifteen year-old "Safe Harbor" that has allowed US businesses to operate there under a single set of privacy rules. Reacting to the Edward Snowden revelations about NSA spying programs, the EU court ruled that companies in the U.S., which has no national set of privacy rules about consumer data, must now deal with the privacy regulators in each EU country rather than deal with a single, uniform, EU-wide standard.
For US businesses that process data coming out of EU countries, this creates a huge level of uncertainty and difficulty. Online businesses, Web sites, cloud storage, e-commerce, data processing, and more may be affected if it contains EU data. If you are an online, Web, cloud, etc company, or if you have employees overseas and therefore process HR data across borders, please start looking at your privacy policies and practices.
As a practical matter, this decision probably means that affected US businesses will have to achieve compliance with the strictest EU member privacy rules (highest common denominator) about things like cookies, consumer access to data, right to be forgotten, and so forth. It's a big compliance headache.
The 3d Circuit Court of Appeals in Federal Trade Commission v. Wyndham Worldwide Corporation, in a decision filed August 24, 2015, ruled that the Federal Trade Commission (the "FTC") by virtue of Section 5 of the FTC Act, has jurisdiction over the data security practices of corporations that collect and use the personal data of their cases.
Consumer advocates have celebrated the case as a win for consumers. I fear it will have the opposite effect.
Showing an increased level of concern for coordination between industry and the public, the U.S. Department of Justice ("DOJ") has issued guidance on cybersecurity risks and the steps that industry and consumers should take to prepare for cybersecurity threats.
The DOJ guidance on cybersecurity is very basic. The guidance is roughly 15 pages long and suggests that businesses familiarize themselves with their information networks and develop a plan for how to respond in the event of a breach in security. (Nothing novel here.)
- Data Privacy
- Data Security
- Government Investigations
- Limited Government
- FAST Act
- JOBS Act
- Public Policy
- Intellectual Property
- Social Media
- Employment Issues
- Non-Profit Organizations
- Due Process
- Political Philosophy
- Risk Avoidance
- Risk Management
- Regulation A+
- Renewable Energy Around the Web
- In-House Counsel
- Mergers and Acquisitions
- Real Estate