On April 8, 2022, the Food and Drug Administration (“FDA”) issued Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, a draft guidance document for industry and FDA staff. Industry stakeholders will have until July 7, 2022 to comment on the proposed guidance.
On February 28, 2018, the Federal Trade Commission issued a report, titled Mobile Security Updates: Understanding the Issues (the “Report”), that analyzes the process by which mobile devices sold in the U.S. receive security updates and provides recommendations for improvement. The Report is based on information the FTC obtained from eight mobile device manufacturers, and from information the Federal Communications Commission collected from six wireless carriers.
On February 26, 2018, the United States Court of Appeals for the Ninth Circuit ruled in an en banc decision that the “common carrier” exception in the Federal Trade Commission Act is “activity-based,” and therefore applies only to the extent a common carrier is engaging in common carrier services. The decision has implications for FTC authority over Internet service providers, indicating that the FTC has authority to bring consumer protection actions against such providers to the extent they are engaging in non-common carrier activities. The Federal Communications Commission (“FCC”) has previously ruled that Internet access service is not a common carrier service subject to that agency’s jurisdiction.
On February 22, 2018, the Federal Trade Commission (“FTC”) published a blog post that provides tips on how consumers can use Virtual Private Network (“VPN”) apps to protect their information while in transit over public networks. The FTC notes that some consumers are finding VPN apps helpful in protecting their mobile device traffic over Wi-Fi networks at coffee shops, airports and other locations. Through a VPN app, a user can browse websites and use apps on their mobile devices, still shielding the traffic from prying eyes as it transmits via public networks.
On May 22, 2017, New York Attorney General Eric T. Schneiderman announced that the AG’s office has reached a settlement (the “Settlement”) with Safetech Products LLC (“Safetech”) regarding the company’s sale of insecure Bluetooth-enabled wireless doors and padlocks. In a press release, Schneiderman indicated that this “marks the first time an attorneys general’s office has taken legal action against a wireless security company for failing to protect their [customers’] personal and private information.”
On May 25, 2015, the French Data Protection Authority (“CNIL”) released its long-awaited annual inspection program for 2015. Under French data protection law, the CNIL may conduct four types of inspections: (1) on-site inspections (i.e., the CNIL may visit a company’s facilities and access anything that stores personal data); (2) document reviews (i.e., the CNIL may require an entity to send documents or files upon written request); (3) hearings (i.e., the CNIL may summon representatives of organizations to appear for questioning and provide other necessary information); and (4) since March 2014, online inspections.
On March 28, 2014, the Federal Trade Commission announced proposed settlements with Fandango and Credit Karma stemming from allegations that the companies misrepresented the security of their mobile apps and failed to secure consumers’ sensitive personal information transmitted using their mobile apps.
Hunton & Williams Insurance Litigation & Counseling partner Lon Berk reports:
The recently publicized Secure Sockets Layer (“SSL”) bug affecting Apple Inc. products raises a question regarding insurance coverage that is likely to become increasingly relevant as “The Internet of Things” expands. Specifically, on certain devices, the code used to set SSL connections contains an extra line that causes the program to skip a critical verification step. Consequently, unless a security patch is downloaded, when these devices are used on shared wireless networks they are subject to so-called “man-in-the-middle” security attacks and other serious security risks. Assuming that sellers of such devices may be held liable for damages, there may be questions about insurance to cover the risks.
On March 12, 2013, Connecticut Attorney General George Jepsen announced that a coalition of 38 states had entered into a $7 million settlement with Google Inc. (“Google”) regarding its collection of unsecured Wi-Fi data via the company’s Street View vehicles between 2008 and 2010. The settlement is the culmination of a multi-year investigation by the states that we first reported on in 2010.
On May 30, 2012, the Federal Trade Commission hosted a public workshop addressing the need for new guidance on advertising and privacy disclosures online and in mobile environments. During the workshop, the FTC announced that it hopes to release an updated version of its online advertising disclosure guidance this fall that would incorporate input from businesses and consumer advocates. Topics explored at the workshop included:
- Best practices for privacy disclosures on mobile platforms and how they can be short, effective and accessible to consumers;
- how to put disclosures in proximity to offers on mobile platforms;
- social media disclosures; and
- the placement of material information on webpages.
On May 16, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on geolocation services on smart mobile devices (the “Opinion”). The Opinion clarifies the legal framework and obligations applicable to geolocation services such as maps and navigation tools, geo-personalized services, geotagging of content on the Internet, child control and location-based advertising.
On March 28, 2011, the Briar Group, LLC, owner and operator of several Boston-area bars and restaurants, reached a settlement with Massachusetts Attorney General Martha Coakley regarding the breach of “tens of thousands” of consumers’ payment card information. The settlement resolves a lawsuit filed in Massachusetts Superior Court alleging that in April 2009 hackers gained access to the Briar Group’s computer systems and misappropriated customer data by installing malcode which was not removed by the company until December of that year. The complaint further alleged that the Briar Group’s lax data protection practices, such as allowing employees to share computer passwords and failing to secure network wireless connections, put customers’ personal information at risk.
On March 21, 2011, the French Data Protection Authority (the “CNIL”) published its decision to fine Google €100,000 for violating the French Data Protection Act.
In 2009, the CNIL inspected Google’s geolocation service (“Street View”), which revealed that Google had collected huge quantities of undeclared personal data (e.g., navigation data, email content, logins and passwords) through Wi-Fi connections accessed by its Street View cars. Google responded that the personal data had been collected by mistake, and promised to stop the Wi-Fi data collection.
Connecticut’s newly-elected Attorney General George Jepsen recently announced an agreement with Google, Inc. concerning the company’s refusal to comply with a Civil Investigative Demand brought by his predecessor, freshman Senator Richard Blumenthal (D-CT). According to a January 28, 2011 press release, to facilitate settlement discussions with the Connecticut-led, 40-state coalition, Google will stipulate that “payload data” compiled in 2008 and 2009 “contained URLs of requested Web pages, partial or complete e-mail communications or other information, including confidential and private information” transmitted by individuals across unsecured wireless networks.
On July 21, 2010, a coalition of 38 states sent a letter to Google demanding more information about the company’s collection of data from unsecured wireless networks by its Google Street View vehicles. The letter was sent by Connecticut Attorney General Richard Blumenthal on behalf of the executive committee of a multistate working group investigating Google Street View practices. As we reported on June 22, Blumenthal has spearheaded the nationwide investigation into Google Street View. Among other things, the letter asks Google to identify who was responsible for the software code that allowed the Street View cars to collect data broadcast over Wi-Fi networks, and for a list of states where unauthorized data collection occurred. The letter also asks Google for details regarding whether any of the data was disclosed to third parties or used for marketing purposes.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code