Privacy & Information Security Law Blog

On September 17, 2015, the Seventh Circuit rejected Neiman Marcus’ petition for a rehearing en banc of Remijas v. Neiman Marcus Group, LLC, No. 14-3122. In Remijas, a Seventh Circuit panel found that members of a putative class alleged sufficient facts to establish standing to sue Neiman Marcus following a 2013 data breach that resulted in hackers gaining access to customers’ credit and debit card information. No judge in regular active service requested a vote on the rehearing petition. Additionally, all members of the original panel voted to deny rehearing. As we previously reported, and according to The Practitioner's Handbook for Appeals to the United States Court of Appeals for the Seventh Circuit, “it is more likely to have a petition for writ of certiorari granted by the Supreme Court than to have a request for en banc consideration granted” in the Seventh Circuit.

On September 22, 2015, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the Cloud Select Industry Group (“C-SIG”) Code of Conduct on data protection for Cloud Service Providers (the “Code”). In the Opinion, the Working Party analyzes the Code that was drafted by the Cloud Select Industry Group (the “C-SIG”).

On September 22, 2015, the Securities and Exchange Commission (“SEC”) announced a settlement order (the “Order”) with an investment adviser for failing to establish cybersecurity policies and procedures, and published an investor alert (the “Alert”) entitled Identity Theft, Data Breaches, and Your Investment Accounts.

On September 8, 2015, representatives from the U.S. Government and the European Commission initialed a draft agreement known as the Protection of Personal Information Relating to the Prevention, Investigation, Detection and Prosecution of Criminal Offenses (the “Umbrella Agreement”). The European Commission’s stated aim for the Umbrella Agreement is to put in place “a comprehensive high-level data protection framework for EU-U.S. law enforcement cooperation.” The Umbrella Agreement has been agreed upon amid the ongoing uncertainty over the future of the U.S.-EU Safe Harbor, and was drafted shortly before the release of the September 23 Advocate General’s Opinion in the Schrems v. Facebook litigation. The content of the Umbrella Agreement is in its final form, but its implementation is dependent upon revisions to U.S. law that are currently before Congress.

On September 23, 2015, Advocate General of the European Court of Justice Yves Bot issued his Opinion in the case of Max Schrems, which is currently pending before the Court of Justice of the European Union (the “CJEU”). In the opinion, the Advocate General provided his views concerning two key issues related to the U.S.-EU Safe Harbor Framework: (1) the powers of national data protection authorities to investigate and suspend international data transfers made under the Safe Harbor Framework and (2) the ongoing validity of the European Commission’s Safe Harbor adequacy decision (Decision 2000/520).

On September 15, 2015, Judge Magnuson of the U.S. District Court for the District of Minnesota certified a Federal Rule of Civil Procedure 23(b)(3) class of financial services institutions claiming damages from Target Corporation’s 2013 data breach. The class consists of “all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.”

On September 15, 2015, the Office of Compliance, Inspections and Examinations (“OCIE”) at the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert outlining its latest cybersecurity examination priorities for SEC-registered broker-dealers and investment advisers.

On September 17, 2015, Prime Minister David Cameron issued a Written Ministerial Statement, announcing that policy responsibility for data protection issues and the UK Information Commissioner’s Office (the “ICO”) will both be transferred from the Ministry of Justice (the “MoJ”) to the Department for Culture, Media & Sport, (the “DCMS”) with the changes taking effect on the same date. Existing data protection policy teams at the MoJ also will move to the DCMS.

On August 20, 2015, the Bavarian Data Protection Authority (“DPA”) issued a press release stating that it imposed a significant fine on a data controller for failing to adequately specify the security controls protecting personal data in a data processing agreement with a data processor.

On September 2, 2015, the Information Commissioner’s Office (the “ICO”) announced an investigation into the data sharing practices of charities in the United Kingdom. The announcement follows the publication of an article in a UK newspaper highlighting the plight of Samuel Rae, an elderly man suffering from dementia. In 1994, Rae completed a survey, which resulted in a charity collecting his personal data. The charity, in turn, allegedly shared his contact details with other charities, data brokers and third parties. Over the years, some of those charities and third parties are reported to have sent Rae hundreds of unwanted items of mail, requesting donations and, in some cases, attempting to defraud him. The legal basis on which Rae’s details were shared remains unclear, although the ICO has noted that the distribution may have resulted from a simple failure to tick an “opt-out” box on the survey.