On January 10, 2019, Massachusetts Governor Charlie Baker signed legislation amending the state’s data breach law. The amendments take effect on April 11, 2019.
In connection with its hearings on data security, the Federal Trade Commission hosted a December 12 panel discussion on “The U.S. Approach to Consumer Data Security.” Moderated by the FTC’s Deputy Director for Economic Analysis James Cooper, the panel featured private practitioners Lisa Sotto, from Hunton Andrews Kurth, and Janis Kestenbaum, academics Daniel Solove (GW Law School) and David Thaw (University of Pittsburgh School of Law), and privacy advocate Chris Calabrese (Center for Democracy and Technology). Lisa set the stage with an overview of the U.S. data security framework, highlighting the complex web of federal and state rules and influential industry standards that result in a patchwork of overlapping mandates. Panelists debated the effect of current law and enforcement on companies’ data security programs before turning to the “optimal” framework for a U.S. data security regime. Among the details discussed were establishing a risk-based approach with a baseline set of standards and clear process requirements. While there was not uniform agreement on the specifics, the panelists all felt strongly that federal legislation was warranted, with the FTC taking on the role of principal enforcer.
On December 4, 2018, the Federal Trade Commission published a notice in the Federal Register indicating that it is seeking public comment on whether any amendments should be made to the FTC’s Identity Theft Red Flags Rule (“Red Flags Rule”) and the duties of card issuers regarding changes of address (“Card Issuers Rule”) (collectively, the “Identity Theft Rules”). The request for comment forms part of the FTC’s systematic review of all current FTC regulations and guides. These periodic reviews seek input from stakeholders on the benefits and costs of specific FTC rules and guides along with information about their regulatory and economic impacts.
The Federal Trade Commission published the agenda for the ninth session of its Hearings on Competition and Consumer Protection in the 21st Century (“Hearings Initiative”), a wide-ranging series of public hearings. The ninth session, to take place on December 11-12, 2018, will focus on data security. Lisa Sotto, chair of Hunton Andrews Kurth’s Privacy and Cybersecurity practice, is one of five panel participants discussing “The U.S. Approach to Consumer Data Security.” The panel will be moderated by James Cooper, Deputy Director for Economic Analysis of the FTC’s Bureau of Consumer Protection.
The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently submitted formal comments to the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) in response to its request for public comments on developing the administration’s approach to consumer privacy.
On November 9, 2018, the European Commission (“the Commission”) submitted comments to the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) in response to its request for public comments on developing the administration’s approach to consumer privacy. Continue Reading EU Commission Responds to NTIA Request for Comment on Developing the Administration’s Approach to Consumer Privacy
On November 8, 2018, Privacy International (“Privacy”), a non-profit organization “dedicated to defending the right to privacy around the world,” filed complaints under the GDPR against consumer marketing data brokers Acxiom and Oracle. In the complaint, Privacy specifically requests the Information Commissioner (1) conduct a “full investigation into the activities of Acxiom and Oracle,” including into whether the companies comply with the rights (i.e., right to access, right to information, etc.) and safeguards (i.e., data protection impact assessments, data protection by design, etc.) in the GDPR; and (2) “in light of the results of that investigation, [take] any necessary further [action]… that will protect individuals from wide-scale and systematic infringements of the GDPR.” Continue Reading Privacy Advocacy Organization Files GDPR Complaints Against Data Brokers
Effective November 2, 2018, a new Ohio breach law will provide covered entities a legal safe harbor for certain data breach-related claims brought in an Ohio court or under Ohio law if, at the time of the breach, the entity maintains and complies with a cybersecurity program that (1) contains administrative, technical and physical safeguards for the protection of personal information, and (2) reasonably conforms to one of the “industry-recognized” cybersecurity frameworks enumerated in the law. Continue Reading New Ohio Law Creates Safe Harbor for Certain Breach-Related Claims
On November 1, 2018, Senator Ron Wyden (D-Ore.) released a draft bill, the Consumer Data Protection Act, that seeks to “empower consumers to control their personal information.” The draft bill imposes heavy penalties on organizations and their executives, and would require senior executives of companies with more than one billion dollars per year of revenue or data on more than 50 million consumers to file annual data reports with the Federal Trade Commission. The draft bill would subject senior company executives to imprisonment for up to 20 years or fines up to $5 million, or both, for certifying false statements on an annual data report. Additionally, like the EU General Data Protection Regulation, the draft bill proposes a maximum fine of 4% of total annual gross revenue for companies that are found to be in violation of Section 5 of the FTC Act.
On October 19, 2018, the Federal Trade Commission announced that it released a paper on the Staff Perspective on the Informational Injury Workshop (the “Paper”), which summarized the outcomes of a workshop it hosted on December 12, 2017 to discuss and better understand “informational injuries” (i.e., harm suffered by consumers as a result of privacy and security incidents, such as data breaches or unauthorized disclosures of data) in an effort to guide (1) future policy determinations related to consumer injury and (2) future application of the “substantial injury” prong in cases involving informational injury. Continue Reading FTC Releases Staff Perspective on Informational Injuries