Privacy & Information Security Law Blog

On January 10, 2017, the European Commission adopted a proposal for a Regulation on Privacy and Electronic Communications (“ePR”). On June 8, 2018, the Council of the European Union’s Bulgarian Presidency presented a progress report (the “Report”) on the draft ePR to the Transport, Telecommunications and Energy Council. The Report reflects on the amendments presented in the May 2018 Examination of the Presidency text. The Report is split into two sections: Annex I, a progress report, and Annex II, questions for the policy debate.

On May 30, 2018, the federal government released a report that identifies gaps in assets and capabilities required to manage the consequences of a cyber attack on the U.S. electric grid. The assessment is a result of the U.S. Department of Energy (“DOE”) and the U.S. Department of Homeland Security’s (“DHS”) combined efforts to assess the potential scope and duration of a prolonged power outage associated with a significant cyber incident and the United States’ readiness to manage the consequences of such an incident.

Recently, Louisiana amended its Database Security Breach Notification Law (the “amended law”). Notably, the amended law (1) amends the state’s data breach notification law to expand the definition of personal information and requires notice to affected Louisiana residents within 60 days, and (2) imposes data security and destruction requirements on covered entities. The amended law goes into effect on August 1, 2018.

On June 6, 2018, the U.S. Court of Appeals for the Eleventh Circuit vacated a 2016 Federal Trade Commission (“FTC”) order compelling LabMD to implement a “comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” The Eleventh Circuit agreed with LabMD that the FTC order was unenforceable because it did not direct the company to stop any “unfair act or practice” within the meaning of Section 5(a) of the Federal Trade Commission Act (the “FTC Act”).

On June 2, 2018, Oregon’s amended data breach notification law (“the amended law”) went into effect. Among other changes, the amended law broadens the applicability of breach notification requirements, prohibits fees for security freezes and related services provided to consumers in the wake of a breach and adds a specific notification timing requirement.

On May 31, 2018, the Federal Trade Commission published on its Business Blog a post addressing the easily missed data deletion requirement under the Children’s Online Privacy Protection Act (“COPPA”).

On May 30, 2018, the European Data Protection Board (“EDPB”), replacing the Article 29 Working Party, published the final version of Guidelines 2/2018 on derogations in the context of international data transfers and draft Guidelines 1/2018 on certification under the EU General Data Protection Regulation (“GDPR”). 

On May 29, 2018, Bojana Bellamy published a letter on the importance and value of data protection officers (“DPOs”) on the International Association of Privacy Professionals’ Privacy Perspectives blog, entitled A Letter to the Unsung Hero of the GDPR (the “Letter”). The Letter acknowledges the herculean efforts and boundless commitment DPOs and those in a similar role have demonstrated in preparing their organizations for the GDPR.

On May 14, 2018, the Department of Energy (“DOE”) Office of Electricity Delivery & Energy Reliability released its Multiyear Plan for Energy Sector Cybersecurity (the “Plan”). The Plan is significantly guided by DOE’s 2006 Roadmap to Secure Control Systems in the Energy Sector and 2011 Roadmap to Achieve Energy Delivery Systems Cybersecurity. Taken together with DOE’s recent announcement creating the new Office of Cybersecurity, Energy Security, and Emergency Response (“CESER”), DOE is clearly asserting its position as the energy sector’s Congressionally-recognized sector-specific agency (“SSA”) on cybersecurity.

On May 24, 2018, the Federal Trade Commission granted final approval to a settlement (the “Final Settlement”) with PayPal, Inc., to resolve charges that PayPal’s peer-to-peer payment service, Venmo, misled consumers regarding certain restrictions on the use of its service, as well as the privacy of transactions. The proposed settlement was announced on February 27, 2018. In its complaint, the FTC alleged that Venmo misrepresented its information security practices by stating that it “uses bank-grade security systems and data encryption to protect your financial information.” Instead, the FTC alleged that Venmo violated the Gramm-Leach-Bliley Act’s (“GLBA’s”) Safeguards Rule by failing to (1) have a written information security program; (2) assess the risks to the security, confidentiality and integrity of customer information; and (3) implement basic safeguards such as providing security notifications to users that their passwords were changed. The complaint also alleged that Venmo (1) misled consumers about their ability to transfer funds to external bank accounts, and (2) misrepresented the extent to which consumers could control the privacy of their transactions, in violation of the GLBA Privacy Rule.