On September 26, 2018, the SEC announced a settlement with Voya Financial Advisers, Inc. (“Voya”), a registered investment advisor and broker-dealer, for violating Regulation S-ID, also known as the “Identity Theft Red Flags Rule,” as well as Regulation S-P, the “Safeguards Rule.” Together, Regulations S-ID and S-P are designed to require covered entities to help protect customers from the risk of identity theft and to safeguard confidential customer information. The settlement represents the first SEC enforcement action brought under Regulation S-ID. Continue Reading SEC Fines Broker-Dealer $1 Million in First Enforcement Action Under Identity Theft Rule

On September 27, 2018, the Federal Trade Commission announced a settlement agreement with four companies – IDmission, LLC, (“IDmission”) mResource LLC (doing business as Loop Works, LLC) (“mResource”), SmartStart Employment Screening, Inc. (“SmartStart”), and VenPath, Inc. (“VenPath”) – over allegations that each company had falsely claimed to have valid certifications under the EU-U.S. Privacy Shield framework. The FTC alleged that SmartStart, VenPath and mResource continued to post statements on their websites about their participation in the Privacy Shield after allowing their certifications to lapse. IDmission had applied for a Privacy Shield certification but never completed the necessary steps to be certified. Continue Reading Four Companies Settle FTC Allegations Regarding False EU-U.S. Privacy Shield Certifications

On September 26, 2018, the U.S. Senate Committee on Commerce, Science, and Transportation convened a hearing on Examining Consumer Privacy Protections with representatives of major technology and communications firms to discuss approaches to protecting consumer privacy, how the U.S. might craft a federal privacy law, and companies’ experiences in implementing the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). Continue Reading Senate Commerce Committee Holds Hearing on Examining Consumer Privacy Protections

On September 26, 2018, Uber Technologies Inc. (“Uber”) agreed to a settlement (the “Settlement”) with all 50 U.S. state attorneys general (the “Attorneys General”) in connection with a 2016 data breach affecting the personal information (including driver’s license numbers) of approximately 607,000 Uber drivers nationwide, as well as approximately 57 million consumers’ email addresses and phone numbers. The Attorneys General alleged that after Uber learned of the breach, which occurred in November 2016, the company paid intruders a $100,000 ransom to delete the data. The Attorneys General alleged that Uber failed to promptly notify affected individuals of the incident, as required under various state laws, instead notifying affected customers and drivers of the breach one year later in November 2017.  Continue Reading Uber Settles with 50 State Attorneys General for $148 Million In Connection with 2016 Data Breach

On September 23, 2018, California Governor Jerry Brown signed into law SB-1121 (the “Bill”), which makes limited substantive and technical amendments to the California Consumer Privacy Act of 2018 (“CCPA”). The Bill takes effect immediately,  and delays the California Attorney General’s enforcement of the CCPA until six months after publication of the Attorney General’s implementing regulations, or July 1, 2020, whichever comes first.  Continue Reading CCPA Amendment Bill Signed Into Law

The Information Commissioner’s Office (“ICO”) in the UK has issued the first formal enforcement action under the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (the “DPA”) on Canadian data analytics firm AggregateIQ Data Services Ltd. (“AIQ”). The enforcement action, in the form of an Enforcement Notice served under section 149 of the DPA, requires AIQ to “cease processing any personal data of UK or EU citizens obtained from UK political organizations or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes.” Continue Reading ICO Issues First Enforcement Action Under the GDPR

On August 29, 2018, Bloomberg Law reported that four Senate Commerce Committee members are discussing a potential online privacy bill. The bipartisan group consists of Senators Jerry Moran (R-KS), Roger Wicker (R-MS), Richard Blumenthal (D-CT) and Brian Schatz (D-HI), according to anonymous Senate aides. Continue Reading Senate Commerce Committee Members Rumored to be Discussing Online Privacy Bill

On August 22, 2018, California Attorney General Xavier Becerra raised significant concerns regarding the recently enacted California Consumer Privacy Act of 2018 (“CCPA”) in a letter addressed to the CCPA’s sponsors, Assemblyman Ed Chau and Senator Robert Hertzberg. Writing to “reemphasize what [he] expressed previously to [them] and [state] legislative leaders and Governor Brown,” Attorney General Becerra highlighted what he described as five primary flaws that, if unresolved, will undermine the intention behind and effective enforcement of the CCPA. Continue Reading California AG Voices Concern About State’s New Privacy Law

As reported on Hunton’s Insurance Recovery blog, the Second Circuit has rejected Chubb subsidiary Federal Ins. Co.’s request for reconsideration of the court’s July 6, 2018, decision, confirming that the insurer must cover Medidata’s $4.8 million loss under its computer fraud insurance policy. In July, the court determined that the loss resulted directly from the fraudulent emails. The court again rejected the insurer’s argument that the fraudster did not directly access Medidata’s computer systems. But the court again rejected that argument, finding that access indeed occurred when the “spoofing” code in emails sent to Medidata employees ended up in Medidata’s computer system. Continue Reading Second Circuit Stands By Medidata “Spoofing” Decision

On August 15, 2018, U.S. District Judge Lucy Koh signed an order granting final approval of the record $115 million class action settlement agreed to by Anthem Inc. in June 2017. As previously reported, Judge Koh signed an order granting preliminary approval of the settlement in August 2017. Continue Reading Judge Grants Final Approval of Record Data Breach Settlement in Anthem Class Action