Privacy & Information Security Law Blog

On August 29, 2019, the Maryland Insurance Administration issued new breach notification requirements for entities that provide health insurance or related services. The new requirements will apply to insurers, non-profit health plans, HMOs, third-party administrators, and certain other managed care entities. The new rules will take effect on October 1, 2019.

On August 8, 2019, the FTC announced that Unrollme Inc. (“Unrollme”), an email management company, agreed to settle allegations the company deceived consumers about how it accesses and uses their personal emails. Unrollme offered users a service whereby the company would help unsubscribe users from unwanted subscription emails. In connection with this service, Unrollme required users to provide the company with access to their email accounts. The FTC alleged that Unrollme falsely told consumers it would not “touch” their personal emails. In fact, the FTC alleged, Unrollme shared its users’ email receipts (“e-receipts”) (i.e., emails sent to consumers following a completed transaction) with its parent company, Slice Technologies, Inc. The FTC’s complaint alleged that the parent company used information from the e-receipts (such as the user’s name, address, and information about products or services the individual purchased) for purposes of its own market research analytics products.

On July 25, 2019, New York Governor Andrew Cuomo signed into law Senate Bill S5575B (the “Bill”), an amendment to New York’s breach notification law (the “Act”). The Bill expands the Act’s definition of “breach of the security of the system” and the types of information (i.e., “private information”) covered by the Act, and makes certain changes to the Act’s requirements for breach notification.

On July 17, 2019, the Federal Trade Commission published a notice in the Federal Register announcing an accelerated review of its Children’s Online Privacy Protection Rule (“COPPA Rule” or “Rule”), seeking feedback on the effectiveness of the 2013 amendments to the Rule, and soliciting input on whether additional changes are needed. Citing questions regarding the Rule’s application to the educational technology sector, voice-enabled connected devices, and general audience platforms that host child-directed content, the FTC indicated that it was moving up its review from a standard 10-year timeframe. The Commission vote to conduct the Rule review was unanimous, 5-0.

Given the value of personal information as a significant corporate asset, companies seeking to acquire or merge with another business should focus carefully on the data they will obtain as a result of the transaction. In addition, as cybersecurity attacks continue unabated, companies must carefully evaluate how personal information maintained by a potential target is protected. In a recent article published by Bloomberg Law, Hunton Andrews Kurth partner Lisa J. Sotto and counsel Ryan P. Logan discuss how legal frameworks involving U.S. federal and state law, the EU General Data Protection Regulation, antitrust law and other relevant legal regimes may affect how a company can use personal information following a transaction. The article also addresses key questions companies should ask during the due diligence process, how answers to those questions impact the deal documents and offers post-closing strategies companies should consider.

On June 13, 2019, the Cyberspace Administration of China (the “CAC”) released Draft Measures on Security Assessment of Cross-Border Transfer of Personal Information (“Draft Measures”) for public comment, the window for which ends July 13, 2019.

Arizona Attorney General Mark Brnovich recently announced a settlement with healthcare software provider Medical Informatics Engineering Inc. (“MIE”) and its wholly owned subsidiary NoMoreClipboard, LLC. The settlement resolves a multistate litigation arising out of a May 2015 data breach in which hackers infiltrated WebChart, a web application run by MIE, and stole the electronic Protected Health Information (“ePHI”) of over 3.9 million individuals. Arizona and 15 other states (the “Multistate AGs”) filed the suit in December 2018, asserting claims under the federal Health Insurance Portability and Accountability (“HIPAA”) as well as various applicable state data protection laws. Notably, the lawsuit was the first-ever multistate litigation alleging claims under HIPAA.

Maryland Governor Larry Hogan recently signed into law House Bill 1154 (the “Bill”), which amends the state’s data breach notification law. Among other obligations, the amendments expand the required actions a business must take after becoming aware of a data security breach.

On May 31, 2019, the Asia-Pacific Economic Cooperation (“APEC”) endorsed Schellman & Company as the second U.S. “Accountability Agent” overseeing the APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) systems. Along with TrustArc, Schellman & Company will now be able to independently assess and certify the compliance of U.S. companies under the APEC CBPR and PRP systems.

On May 31, 2019, the Cyberspace Administration of China (the “CAC”) published Draft Regulations on Network Protection of Minor’s Personal Information (the “Draft Regulations”), timing the release to coincide with International Children’s Day. The Draft Regulations, based on the existing Cybersecurity Law of China (the “Cybersecurity Law”), is more protective of minors’ information than the Information Security Technology — Personal Information Security Specification (GB/T 35273 – 2017) (the “Specification”) and its draft amendment, which also address some limited provisions on network operators’ use and treatment of minors’ information.

On June 6, 2019, the French Data Protection Authority (the “CNIL”) announced that it levied a fine of €400,000 on SERGIC, a French real estate service provider, for failure to (1) implement appropriate security measures and (2) define data retention periods for the personal data of unsuccessful rental candidates.

On May 28, 2019, the Cyberspace Administration of China (“CAC”) released draft Data Security Administrative Measures (the “Measures”) for public comment. The Measures, which, when finalized, will be legally binding, supplement the Cybersecurity Law of China (the “Cybersecurity Law”) that took force on June 1, 2017, with detailed and practical requirements for network operators who collect, store, transmit, process and use data within Chinese territory. The Measures likely will significantly impact network operators’ compliance programs in China.

On May 30, 2019, the Maine House and Senate passed a bill (L.D. 946) that will place restrictions on broadband Internet service providers from selling customer data without the customer’s affirmative consent. The bill will apply to providers operating within Maine in connection with the broadband Internet access services they provide to customers who are physically located and billed for service received in Maine.

On May 24, 2019, Oregon Governor Kate Brown signed Senate Bill 684 (the “Bill”) into law. The Bill, which takes effect January 1, 2020, amends the Oregon Consumer Identity Theft Protection Act (“OCITPA”) by enhancing the breach notification requirements applicable to third-party vendors.

On May 27, 2019, the Illinois General Assembly voted 79-32 to approve Senate Bill 1624, an amendment to the Personal Information Protection Act (“PIPA”). The bill’s sponsor, Senator Suzy Glowiak (D), expects Illinois Governor J.B. Pritzker (D) to sign the bill into law in short order. The amendment had already unanimously passed the state Senate last month.

On May 24, 2019, the Cyberspace Administration of China (the “CAC”), together with eleven other relevant government authorities, jointly released the draft Cybersecurity Review Measures for public comment. The deadline for public comment is June 24, 2019.

On May 10, 2019, New Jersey Governor Phil Murphy signed into law a bill that amends New Jersey’s data breach notification law to expand the definition of personal information to include online account information. The amendment goes into effect September 1, 2019.

On May 6, 2019, the Federal Trade Commission announced that Meet24, FastMeet and Meet4U—three dating apps owned by Ukrainian-based company Wildec LLC—were removed from the Apple App Store and Google Play Store following an FTC letter alleging that the apps potentially violated the Children’s Online Privacy Protection Act (“COPPA”) and the Federal Trade Commission Act (“FTC Act”). According to the letter and contrary to what was claimed in their privacy policies, the apps, which collect dates of birth, email addresses, photographs and real-time location date, failed to block users who indicated they were under the age of 13.

On April 15, 2019, the Greek Data Protection Authority (“DPA”) fined Hellenic Petroleum S.A. EUR 20,000 for unlawful processing of personal data and EUR 10,000 for failing to adopt appropriate data security measures.

On April 22, 2019, Washington state legislators voted to send HB 1071 (the “Bill”) to Governor Jay Inslee for consideration. The Bill was requested by Attorney General Ferguson and would strengthen Washington’s data breach law. The request to amend the current law followed Attorney General Ferguson’s third annual Data Breach Report, which found that data breaches affected nearly 3.4 million Washingtonians between July 2017 and July 2018.

Hunton Andrews Kurth LLP, in coordination with the U.S. Chamber of Commerce, recently issued a report setting forth best practices for an effective data breach notification framework (the “Report”). Lead Hunton authors are Lisa J. Sotto, chair of the Global Privacy and Cybersecurity practice, and partners Brittany M. Bacon and Aaron P. Simpson.

On November 21, 2018, the Supreme Court of Pennsylvania ruled that a putative class action filed against UPMC (d/b/a The University of Pittsburg Medical Center) should not have been dismissed.

On October 30, 2018, ATA Consulting LLC (doing business as Best Medical Transcription) agreed to a $200,000 settlement with the New Jersey Attorney General resulting from a server misconfiguration that allowed private medical records to be posted publicly online. The fine was suspended to $31,000 based on the company’s financial condition. Read the settlement.

On October 29, 2018, the Office of the Privacy Commissioner of Canada (the “OPC”) released final guidance (“Final Guidance”) regarding how businesses may satisfy the reporting and record-keeping obligations under Canada’s new data breach reporting law. The law, effective November 1, 2018, requires organizations subject to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) to (1) report to the OPC breaches of security safeguards involving personal information “that pose a real risk of significant harm” to individuals; (2) notify affected individuals of the breach; and (3) keep records of every breach of security safeguards, regardless of whether or not there is a real risk of significant harm.

On October 19, 2018, the Federal Trade Commission announced that it released a paper on the Staff Perspective on the Informational Injury Workshop (the “Paper”), which summarized the outcomes of a workshop it hosted on December 12, 2017 to discuss and better understand “informational injuries” (i.e., harm suffered by consumers as a result of privacy and security incidents, such as data breaches or unauthorized disclosures of data) in an effort to guide (1) future policy determinations related to consumer injury and (2) future application of the “substantial injury” prong in cases involving informational injury.

On September 26, 2018, the SEC announced a settlement with Voya Financial Advisers, Inc. (“Voya”), a registered investment advisor and broker-dealer, for violating Regulation S-ID, also known as the “Identity Theft Red Flags Rule,” as well as Regulation S-P, the “Safeguards Rule.” Together, Regulations S-ID and S-P are designed to require covered entities to help protect customers from the risk of identity theft and to safeguard confidential customer information. The settlement represents the first SEC enforcement action brought under Regulation S-ID.

On September 26, 2018, the U.S. District Court for the District of Colorado ("the Court") refused to dismiss all putative class claims against Chipotle Mexican Grill, Inc. (“Chipotle”). This litigation arose from a 2017 data breach in which hackers stole customers’ payment card and other personal information by using malicious software to access the point-of-sale systems at Chipotle’s locations. 

On September 26, 2018, Uber Technologies Inc. (“Uber”) agreed to a settlement (the “Settlement”) with all 50 U.S. state attorneys general (the “Attorneys General”) in connection with a 2016 data breach affecting the personal information (including driver’s license numbers) of approximately 607,000 Uber drivers nationwide, as well as approximately 57 million consumers’ email addresses and phone numbers. The Attorneys General alleged that after Uber learned of the breach, which occurred in November 2016, the company paid intruders a $100,000 ransom to delete the data. The Attorneys General alleged that Uber failed to promptly notify affected individuals of the incident, as required under various state laws, instead notifying affected customers and drivers of the breach one year later in November 2017. 

Effective September 21, 2018, Section 301 of the Economic Growth, Regulatory Relief, and Consumer Protection Act (the “Act”) requires consumer reporting agencies to provide free credit freezes and year-long fraud alerts to consumers throughout the country. Under the Act, consumer reporting agencies must each set up a webpage designed to enable consumers to request credit freezes, fraud alerts, extended fraud alerts and active duty fraud alerts. The webpage must also give consumers the ability to opt out of the use of information in a consumer report to send the consumer a ...

On August 30, 2018, Apple Inc. announced a June update to its App Store Review Guidelines that will require each developer to provide its privacy policy as part of the app review process, and to include in such policy specific content requirements. Effective October 3, 2018, all new apps and app updates must include a link to the developer’s privacy policy before they can be submitted for distribution to users through the App Store or through TestFlight external testing.

As reported in BNA Privacy Law Watch, the Office of the Privacy Commissioner of Canada (the “OPC”) is seeking public comment on recently released guidance (the “Guidance”) intended to assist organizations with understanding their obligations under the federal breach notification mandate, which will take effect in Canada on November 1, 2018. 

On September 7, 2018, the New Jersey Attorney General announced a settlement with data management software developer Lightyear Dealer Technologies, LLC, doing business as DealerBuilt, resolving an investigation by the state Division of Consumer Affairs into a data breach that exposed the personal information of car dealership customers in New Jersey and across the country. The breach occurred in 2016, when a researcher exposed a gap in the company’s security and gained access to unencrypted files containing names, addresses, social security numbers, driver’s license numbers, bank account information and other data belonging to thousands of individuals, including at least 2,471 New Jersey residents.

On September 5, 2018, the U.S. District Court for the Central District of California held that a class action arising from a 2016 Uber Technologies Inc. (“Uber”) data breach must proceed to arbitration. The case was initially filed after a 2016 data breach that affected approximately 600,000 Uber drivers and 57 million Uber customers. 

On August 31, 2018, the California State Legislature passed SB-1121, a bill that delays enforcement of the California Consumer Privacy Act of 2018 (“CCPA”) and makes other modest amendments to the law. The bill now goes to the Governor for signing. The provisions of the CCPA will become operative on January 1, 2020. As we have previously reported, the CCPA introduces key privacy requirements for businesses. The Act was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. The CCPA’s hasty passage resulted in a number of drafting errors and inconsistencies in the law, which SB-1121 seeks to remedy. The amendments to the CCPA are primarily technical, with few substantive changes.

On August 15, 2018, U.S. District Judge Lucy Koh signed an order granting final approval of the record $115 million class action settlement agreed to by Anthem Inc. in June 2017. As previously reported, Judge Koh signed an order granting preliminary approval of the settlement in August 2017.

As reported in BNA Privacy Law Watch, a California legislative proposal would allocate additional resources to the California Attorney General’s office to facilitate the development of regulations required under the recently enacted California Consumer Privacy Act of 2018 (“CCPA”). CCPA was enacted in June 2018 and takes effect January 1, 2020. CCPA requires the California Attorney General to issue certain regulations prior to the effective date, including, among others, (1) to update the categories of data that constitute “personal information” under CCPA ...

On August 13, 2018, the Federal Trade Commission approved changes to the video game industry’s safe harbor guidelines under the Children’s Online Privacy Protection Act (“COPPA”) Rule. COPPA’s “safe harbor” provision enables industry groups to propose self-regulatory guidelines regarding COPPA compliance for FTC approval. 

On August 3, 2018, California-based Unixiz Inc. (“Unixiz”) agreed to shut down its “i-Dressup” website pursuant to a consent order with the New Jersey Attorney General, which the company entered into to settle charges that it violated the Children’s Online Privacy Protection Act (“COPPA”) and the New Jersey Consumer Fraud Act. The consent order also requires Unixiz to pay a civil penalty of $98,618.

On July 19, 2018, the French Data Protection Authority (“CNIL”) announced that it served a formal notice to two advertising startups headquartered in France, FIDZUP and TEEMO. Both companies collect personal data from mobile phones via software development kit (“SDK”) tools integrated into the code of their partners’ mobile apps—even when the apps are not in use—and process the data to conduct marketing campaigns on mobile phones.

On July 27, 2018, the Justice BN Srikrishna committee, formed by the Indian government in August 2017 with the goal of introducing a comprehensive data protection law in India, issued a report, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (the “Committee Report”), and a draft data protection bill called the Personal Data Protection Bill, 2018 (the “Bill”). Noting that the Indian Supreme Court has recognized the right to privacy as a fundamental right, the Committee Report summarizes the existing data protection framework in India, and recommends that the government of India adopt a comprehensive data protection law such as that proposed in the Bill.

In its most recent cybersecurity newsletter, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) provided guidance regarding identifying vulnerabilities and mitigating the associated risks of software used to process electronic protected health information (“ePHI”). The guidance, along with additional resources identified by OCR, are outlined below:

On July 12, 2018, British Prime Minister Theresa May presented her Brexit White Paper, “The Future Relationship Between the United Kingdom and the European Union,” (the "White Paper”) to Parliament. The White Paper outlines the UK’s desired future relationship with the EU post-Brexit, and includes within its scope important data protection-related issues, including digital trade, data flows, cooperation for the development of Artificial Intelligence (“AI”), and the role of the Information Commissioner’s Office (“ICO”), as further discussed below:

On June 27, 2018, the Ministry of Public Security of the People’s Republic of China published the Draft Regulations on the Classified Protection of Cybersecurity (网络安全等级保护条例（征求意见稿）) (“Draft Regulation”) and is seeking comments from the public by July 27, 2018.

On June 28, 2018, the Governor of California signed AB 375, the California Consumer Privacy Act of 2018 (the “Act”). The Act introduces key privacy requirements for businesses, and was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative. The Act will take effect January 1, 2020.

On June 25, 2018, the New York Department of Financial Services (“NYDFS”) issued a final regulation (the “Regulation”) requiring consumer reporting agencies with “significant operations” in New York to (1) register with NYDFS for the first time and (2) comply with the NYDFS’s cybersecurity regulation. Under the Regulation, consumer reporting agencies that reported on 1,000 or more New York consumers in the preceding year are subject to these requirements, and must register with NYDFS on or before September 1, 2018. The deadline for consumer reporting agencies to ...

On June 21, 2018, California lawmakers introduced AB 375, the California Consumer Privacy Act of 2018 (the “Bill”). If enacted and signed by the Governor by June 28, 2018, the Bill would introduce key privacy requirements for businesses, but would also result in the removal of a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative.

On June 22, 2018, the United States Supreme Court held in Carpenter v. United States that law enforcement agencies must obtain a warrant supported by probable cause to obtain historical cell-site location information (“CSLI”) from third-party providers. The government argued in Carpenter that it could access historical CSLI through a court order alone under the Stored Communications Act (the “SCA”). Under 18 U.S.C. § 2703(d), obtaining an SCA court order for stored records only requires the government to “offer specific and articulable facts showing that there are reasonable grounds.” However, in a split 5-4 decision, the Supreme Court held that the Fourth Amendment requires law enforcement agencies to obtain a warrant supported by probable cause to obtain historical CSLI.

Recently, Iowa and Nebraska enacted information security laws applicable to personal information. Iowa’s law applies to operators of online services directed at and used by students in kindergarten through grade 12, whereas Nebraska’s law applies to all commercial entities doing business in Nebraska who own or license Nebraska residents’ personal information.

On November 6, 2018, California voters will consider a ballot initiative called the California Consumer Privacy Act (“the Act”). The Act is designed to give California residents (i.e., “consumers”) the right to request from businesses (see “Applicability” below) the categories of personal information the business has sold or disclosed to third parties, with some exceptions. The Act would also require businesses to disclose in their privacy notices consumers’ rights under the Act, as well as how consumers may opt out of the sale of their personal information if the business sells consumer personal information.

Recently, the Personal Data Collection and Protection Ordinance (“the Ordinance”) was introduced to the Chicago City Council. The Ordinance would require businesses to (1) obtain prior opt-in consent from Chicago residents to use, disclose or sell their personal information; (2) notify affected Chicago residents and the City of Chicago in the event of a data breach; (3) register with the City of Chicago if they qualify as “data brokers”; (4) provide specific notification to mobile device users for location services; and (5) obtain prior express consent to use geolocation data from mobile applications.

Recently, Colorado’s governor signed into law House Bill 18-1128 “concerning strengthening protections for consumer data privacy” (the “Bill”), which takes effect September 1, 2018. Among other provisions, the Bill (1) amends the state’s data breach notification law to require notice to affected Colorado residents and the Colorado Attorney General within 30 days of determining that a security breach occurred, imposes content requirements for the notice to residents and expands the definition of personal information; (2) establishes data security requirements applicable to businesses and their third-party service providers; and (3) amends the state’s law regarding disposal of personal identifying information.

Recently, Vermont enacted legislation (H.764) that regulates data brokers who buy and sell personal information. Vermont is the first state in the nation to enact this type of legislation.

• Definition of Data Broker. The law defines a “data broker” broadly as “a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.”
• Definition of “Brokered Personal Information.” “Brokered personal ...

Recently, Louisiana amended its Database Security Breach Notification Law (the “amended law”). Notably, the amended law (1) amends the state’s data breach notification law to expand the definition of personal information and requires notice to affected Louisiana residents within 60 days, and (2) imposes data security and destruction requirements on covered entities. The amended law goes into effect on August 1, 2018.

On June 6, 2018, the U.S. Court of Appeals for the Eleventh Circuit vacated a 2016 Federal Trade Commission (“FTC”) order compelling LabMD to implement a “comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers.” The Eleventh Circuit agreed with LabMD that the FTC order was unenforceable because it did not direct the company to stop any “unfair act or practice” within the meaning of Section 5(a) of the Federal Trade Commission Act (the “FTC Act”).

On June 2, 2018, Oregon’s amended data breach notification law (“the amended law”) went into effect. Among other changes, the amended law broadens the applicability of breach notification requirements, prohibits fees for security freezes and related services provided to consumers in the wake of a breach and adds a specific notification timing requirement.

On May 31, 2018, the Federal Trade Commission published on its Business Blog a post addressing the easily missed data deletion requirement under the Children’s Online Privacy Protection Act (“COPPA”).

On April 11, 2018, Arizona amended its data breach notification law (the “amended law”). The amended law will require persons, companies and government agencies doing business in the state to notify affected individuals within 45 days of determining that a breach has resulted in or is reasonably likely to result in substantial economic loss to affected individuals. The old law only required notification “in the most expedient manner possible and without unreasonable delay.” The amended law also broadens the definition of personal information and requires regulatory notice and notice to the consumer reporting agencies (“CRAs”) under certain circumstances.

On May 8, 2018, Senator Ron Wyden (D–OR) demanded that the Federal Communications Commission investigate the alleged unauthorized tracking of Americans’ locations by Securus Technologies, a company that provides phone services to prisons, jails and other correctional facilities. Securus allegedly purchases real-time location data from a third-party location aggregator and provides the data to law enforcement without obtaining judicial authorization for the disclosure of the data. In turn, the third-party location aggregator obtains the data from wireless carriers. Federal law restricts how and when wireless carriers can share certain customer information with third parties, including law enforcement. Wireless carriers are prohibited from sharing certain customer information, including location data, unless the carrier has obtained the customer’s consent or the sharing is otherwise required by law.

On April 27, 2018, the Federal Trade Commission issued two warning letters to foreign marketers of geolocation tracking devices for violations of the U.S. Children’s Online Privacy Protection Act (“COPPA”). The first letter was directed to a Chinese company, Gator Group, Ltd., that sold the “Kids GPS Gator Watch” (marketed as a child’s first cellphone); the second was sent to a Swedish company, Tinitell, Inc., marketing a child-based app that works with a mobile phone worn like a watch. Both products collect a child’s precise geolocation data, and the Gator Watch includes geofencing “safe zones.”  

On May 1, 2018, the Information Security Technology – Personal Information Security Specification (the “Specification”) went into effect in China. The Specification is not binding and cannot be used as a direct basis for enforcement. However, enforcement agencies in China can still use the Specification as a reference or guideline in their administration and enforcement activities. For this reason, the Specification should be taken seriously as a best practice in personal data protection in China, and should be complied with where feasible.

On May 4, 2018, St. Kitts and Nevis’ legislators passed the Data Protection Bill 2018 (the “Bill”). The Bill was passed to promote the protection of personal data processed by public and private bodies.

On April 30, 2018, the Federal Trade Commission announced that BLU Products, Inc. (“BLU”), a mobile phone manufacturer, agreed to settle charges that the company allowed ADUPS Technology Co. Ltd. (“ADUPS”), a third-party service provider based in China to collect consumers’ personal information without their knowledge or consent, notwithstanding the company’s promises that it would keep the relevant information secure and private. The relevant personal information allegedly included, among other information, text message content and real-time location information. On September 6, 2018, the FTC gave final approval to the settlement in a unanimous 5-0 vote.

The Federal Trade Commission has modified its 2017 settlement with Uber Technologies, Inc. (“Uber”) after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The modifications are based on the fact that Uber failed to notify the FTC of a November 2016 breach, which took place during the time that the FTC was investigating an earlier, 2014 breach. The 2016 breach occurred when intruders used an access key that an Uber engineer had posted on GitHub to download more than 47 million user names, including related email addresses or phone numbers, as well as more than 600,000 drivers’ names and license numbers. The FTC alleged that after Uber learned of the breach, it paid the intruders a $100,000 ransom through its “bug bounty” program. The bug bounty program is intended to reward responsible disclosure of security vulnerabilities.

The Canadian government recently published a cabinet order stating that the effective date for breach notification provisions in the Digital Privacy Act would be November 1, 2018. At that time, businesses that experience a "breach of security safeguards" would be required to notify affected individuals, as well as the Privacy Commissioner and any other organization or government institution that might be able to reduce the risk of harm resulting from the breach.

On March 28, 2018, Alabama became the final state in the U.S. to enact a data breach notification law. The Alabama Data Breach Notification Act of 2018 (S.B. 318) (“the Law”) goes into effect on June 1, 2018.

As reported in BNA Privacy Law Watch, on March 21, 2018, South Dakota enacted the state’s first data breach notification law. The law will take effect on July 1, 2018, and includes several key provisions:

On February 12, 2018, in a settled enforcement action, the U.S. Commodity Futures Trading Commission (“CFTC”) charged a registered futures commission merchant (“FCM”) with violations of CFTC regulations relating to an ongoing data breach. Specifically, the FCM failed to diligently supervise an information technology provider's (“IT vendor’s”) implementation of certain provisions in the FCM’s written information systems security program. Though not unprecedented, this case represents a rare CFTC enforcement action premised on a cybersecurity failure at a CFTC-registered entity.

On February 6, 2018, the Federal Trade Commission (“FTC”) released its agenda for PrivacyCon 2018, which will take place on February 28. Following recent FTC trends, PrivacyCon 2018 will focus on privacy and data security considerations associated with emerging technologies, including the Internet of Things, artificial intelligence and virtual reality. The event will feature four panel presentations by over 20 researchers, including (1) collection, exfiltration and leakage of private information; (2) consumer preferences, expectations and behaviors; (3) economics, markets and experiments and (4) tools and ratings for privacy management. The FTC’s press release emphasizes the event’s focus on the economics of privacy, including “how to quantify the harms that result when companies fail to secure consumer information, and how to balance the costs and benefits of privacy-protective technologies and practices.”

On February 5, 2018, the Federal Trade Commission (“FTC”) announced its most recent Children’s Online Privacy Protection Act (“COPPA”) case against Explore Talent, an online service marketed to aspiring actors and models. According to the FTC’s complaint, Explore Talent provided a free platform for consumers to find information about upcoming auditions, casting calls and other opportunities. The company also offered a monthly fee-based “pro” service that promised to provide consumers with access to specific opportunities. Users who registered online were asked to input a host of personal information including full name, email, telephone number, mailing address and photo; they also were asked to provide their eye color, hair color, body type, measurements, gender, ethnicity, age range and birth date.

On January 23, 2018, the New York Attorney General announced that Aetna Inc. (“Aetna”) agreed to pay $1.15 million and enhance its privacy practices following an investigation alleging it risked revealing the HIV status of 2,460 New York residents by mailing them information in transparent window envelopes. In July 2017, Aetna sent HIV patients information on how to fill their prescriptions using envelopes with large clear plastic windows, through which patient names, addresses, claims numbers and medication instructions were visible. Through this, the HIV status of some patients was visible to third parties. The letters were sent to notify members of a class action lawsuit that, pursuant to that suit’s resolution, they could purchase HIV medications at physical pharmacy locations, rather than via mail order delivery.

On January 25, 2018, the Standardization Administration of China published the full text of the Information Security Technology – Personal Information Security Specification (the “Specification”). The Specification will come into effect on May 1, 2018. The Specification is voluntary, but could become influential within China because it establishes benchmarks for the processing of personal information by a wide variety of entities and organizations. In effect, the Specification constitutes a best practices guide for the collection, retention, use, sharing and transfer of personal information, and for the handling of related information security incidents.

On January 8, 2018, the FTC announced an agreement with electronic toy manufacturer, VTech Electronics Limited and its U.S. subsidiary, settling charges that VTech violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting personal information from hundreds of thousands of children without providing direct notice or obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected. Under the agreement, VTech will (1) pay a $650,000 civil penalty; (2) implement a comprehensive data security program, subject to ...

As reported in BNA Privacy Law Watch, on December 6, 2017, health care provider 21st Century Oncology agreed to pay $2.3 million to settle charges by the Department of Health and Human Services' (“HHS”) Office for Civil Rights (“OCR”) that its security practices led to a data breach involving patient information. The settlement was made public in the company’s December 6, 2017, bankruptcy filing. The HHS charges stemmed from a 2015 data breach involving the compromise of Social Security numbers, medical diagnoses and health insurance information of at least 2.2 million ...

Recently, the FTC and FCC announced their intent to enter into a Memorandum of Understanding (“MOU”) under which the agencies would coordinate their efforts following the adoption of the Restoring Internet Freedom Order (the “Order”). As we previously reported, if adopted, the Order would repeal the rules put in place by the FCC in 2015 that prohibit high-speed internet service providers (“ISPs”) from stopping or slowing down the delivery of websites and from charging customers extra fees for high-quality streaming and other services. 

Recently, FCC Chairman Ajit Pai released a draft of the Restoring Internet Freedom Order (the “Order”). If adopted, the Order would repeal the rules put in place by the FCC in 2015 that prohibit high-speed internet service providers (“ISPs”) from stopping or slowing down the delivery of websites and from charging customers extra fees for high-quality streaming and other services.

Recently, the Federal Trade Commission released the final agenda for a workshop being held on December 12, 2017, that will address the various consumer injuries that result from the unauthorized access to or misuse of consumers’ personal information.

On November 8, 2017, the United States District Court for the Northern District of California ordered German defendants in an ongoing patent suit, BrightEdge Technologies, Inc. v. Searchmetrics GmbH, to produce a particular database, despite the defendants’ claims that such production would violate German privacy laws.

On November 7, 2017, the Standing Committee of the National People’s Congress of China published the second draft of the E-commerce Law (the “Second Draft”) and is allowing the general public an opportunity to comment through November 26, 2017.

On November 8, 2017, the FTC announced a settlement with Georgia-based online tax preparation service, TaxSlayer, LLC (“TaxSlayer”), regarding allegations that the company violated federal rules on financial privacy and data security. According to the FTC’s complaint, malicious hackers were able to gain full access to nearly 9,000 TaxSlayer user accounts between October 2015 and December 2015. The hackers allegedly used the personal information contained in the users’ accounts, including contact information, Social Security numbers and financial information, to engage in tax identify theft and obtain tax refunds through filing fraudulent tax returns. The FTC charged TaxSlayer with violating the Gramm-Leach-Bliley Act’s Safeguards Rule and Privacy Rule. 

On October 31, 2017, the New York and Vermont Attorneys General (“Attorneys General”) announced a settlement with Hilton Domestic Operating Company, Inc., formerly known as Hilton Worldwide, Inc. (“Hilton”), to settle allegations that the company lacked reasonable data security and waited too long to report a pair of 2015 data breaches, which exposed over 350,000 credit card numbers. The Attorneys General alleged that Hilton failed to maintain reasonable data security and waited more than nine months after the first incident to notify consumers of the breaches, in violation of the states' consumer protection and breach notification laws.

Recently, the Office of the Privacy Commissioner of Canada (“OPC”) issued its 2017 Global Privacy Enforcement Network Sweep results (the “Report”), which focused on certain privacy practices of online educational tools and services targeted at classrooms. The OPC examined the privacy practices of two dozen educational websites and apps used by K-12 students. The “sweep” sought to replicate the consumer experience by interacting with the websites and apps, and recording the privacy practices and controls in place. The overarching theme of the Report is “user controls over personal information,” which the OPC further refined into four subthemes: (1) transparency, (2) consent, (3) age-appropriate collection and disclosure, and (4) deletion of personal information.

On October 3, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued an announcement clarifying when protected health information (“PHI”) can be shared with family, friends and others. This announcement, prompted by the recent mass shooting in Las Vegas, outlines the purposes for which PHI can be disclosed to these parties pursuant to HIPAA and the conditions that apply, which are summarized below:

On September 29, 2017, Samanage USA, Inc. (“Samanage”), a North Carolina-based technology company that provided cloud-based IT support services as a subcontractor for Vermont’s health care exchange (“Vermont Health Connect”), agreed to a $264,000 settlement with the Vermont Attorney General in relation to a breach that exposed the Social Security numbers of 660 Vermont Health Connect users.

On September 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued an announcement containing disaster preparedness and recovery guidance in advance of Hurricane Irma. The announcement follows a bulletin issued in late August during Hurricane Harvey that addressed how protected health information (“PHI”) can be shared during emergencies. Together, these communications underscore key privacy and security issues for entities covered by HIPAA to help them protect individuals’ health information before, during and after emergency situations.

On September 5, 2017, the FTC announced that Lenovo, Inc. (“Lenovo”) agreed to settle charges that its preloaded software on some laptop computers compromised online security protections in order to deliver advertisements to consumers. The settlement agreement (the “Settlement”) is between Lenovo, the FTC and 32 State Attorneys General. 

Recently, the National Information Security Standardization Technical Committee of China published a draft document entitled Information Security Technology – Guidelines for De-Identifying Personal Information (the “Draft Guidelines”). The Draft Guidelines are open for comment from the general public until October 9, 2017.

On August 25, 2017, U.S. District Judge Lucy Koh signed an order granting preliminary approval of the record class action settlement agreed to by Anthem Inc. this past June. The settlement arose out of a 2015 data breach that exposed the personal information of more than 78 million individuals, including names, dates of birth, Social Security numbers and health care ID numbers. The terms of the settlement include, among other things, the creation of a pool of funds to provide credit monitoring and reimbursement for out-of-pocket costs for customers, as well as up to $38 million in attorneys’ fees. Anthem will also be required to make certain changes to its data security systems and cybersecurity practices for at least three years.

On August 25, 2017, the FTC published the sixth blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Segment your network and monitor who’s trying to get in and out, illustrates the benefits of segmenting networks and monitoring the size and frequency of data transfers.

As reported in BNA Privacy Law Watch, on August 17, 2017, Delaware amended its data breach notification law, effective April 14, 2018. The Delaware law previously required companies to give notice of a breach to affected Delaware residents “as soon as possible” after determining that, as a result of the breach, “misuse of information about a Delaware resident has occurred or is reasonably likely to occur.” The prior version of the law did not require regulator notification.

On August 15, 2017, the FTC announced that it had reached a settlement with Uber, Inc., over allegations that the ride-sharing company had made deceptive data privacy and security representations to its consumers. Under the terms of the settlement, Uber has agreed to implement a comprehensive privacy program and undergo regular, independent privacy audits for the next 20 years.

On August 18, 2017, the FTC published the fifth blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Store sensitive personal information securely and protect it during transmission, outlines steps businesses can take to secure sensitive data, including when it is in transit.

On August 14, 2017, the Colombian Superintendence of Industry and Commerce (“SIC”) announced that it was adding the United States to its list of nations that provide an adequate level of protection for the transfer of personal information, according to a report from Bloomberg BNA. The SIC, along with the Superintendence of Finance, is Colombia’s data protection authority, and is responsible for enforcing Colombia’s data protection law. Under Colombian law, transfers of personal information to countries that are deemed to have laws providing an adequate level of ...

On August 11, 2017, the FTC published the fourth blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Require secure passwords and authentication, examines five effective security measures companies can take to safeguard their computer networks.

On August 9, 2017, Nationwide Mutual Insurance Co. (“Nationwide”) agreed to a $5.5 million settlement with attorneys general from 32 states in connection with a 2012 data breach that exposed the personal information of over 1.2 million individuals. 

On August 4, 2017, the FTC published the third blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled “Stick with security: Control access to data sensibly,” details key security measures businesses can take to limit unauthorized access to data in their possession.

On July 31, 2017, the Federal Trade Commission announced that it has approved modifications to TRUSTe’s safe harbor program under the Children’s Online Privacy Protection Rule (the “COPPA Rule”).

On July 28, 2017, the FTC published the second blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled “Start with security – and stick with it,” looks at key security principles that apply to all businesses regardless of their size or the types of data they handle.

On July 26, 2017, the Court of Justice of the European Union (“CJEU”) declared that the envisaged EU-Canada agreement on the transfer of Passenger Name Records (“PNR Agreement”) interferes with the fundamental right to respect for private life and the right to the protection of personal data and is therefore incompatible with EU law in its current form. This marks the first instance where the CJEU has been asked to rule on the compatibility of a draft international agreement with the European Charter of Fundamental Human Rights.

On July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for the following eight purposes:

On July 5, 2017, the FTC announced that Blue Global Media, LLC (“Blue Global”) agreed to settle charges that it misled consumers into filling out loan applications and then sold those applications, including sensitive personal information contained therein, to other entities without verifying how consumers’ information would be used or whether it would remain secure. According to the FTC’s complaint, Blue Global claimed it would connect loan applicants to lenders from its network of over 100 lenders in an effort to offer applicants the best terms. In reality, Blue Global “sold very few of the loan applications to lenders; did not match applications based on loan rates or terms; and sold the loan applications to the first buyer willing to pay for them.” The FTC alleged that, contrary to Blue Global’s representations, the company provided consumers’ sensitive information—including SSN and bank account number—to buyers without consumers’ knowledge or consent. The FTC further alleged that, upon receiving complaints from consumers that their personal information was being misused, Blue Global failed to investigate or take action to prevent harm to consumers.