The European Data Protection Board (“EDPB”) recently released Guidelines 3/2018 on the territorial scope of the GDPR (Article 3). The Guidelines, which address the key threshold issue of the GDPR’s applicability, are particularly important for companies outside the European Union seeking to understand the GDPR’s application to their business activities. The Guidelines are open to public comment until January 18, 2019, after which time the EDPB will publish a final version of the Guidelines.Read More
Polsinelli on Privacy | Privacy and Data Security Blog
In an increasingly competitive environment, effectively leveraging technology can be the difference between success and failure for companies in all sectors of the economy. Protecting your data and securing employee/end user privacy – this is the goal of Polsinelli’s Privacy and Data Security practice and it’s what keeps us up at night.
We offer compliance and security counseling, transactional support, data breach rapid response, and breach litigation and counseling. In 2017 we were named a Leader by BTI in their annual "Law Firms Best at Cybersecurity" ranking.
Managing data privacy and cybersecurity risks when leveraging cloud services proves challenging for many cloud services customers. Requirements imposed by the EU’s General Data Protection Regulation and the California Consumer Privacy Act require customers to take a more intentional and informed approach to their relationships with these providers. This article outlines several key considerations that cloud services customers should keep in mind when operating under this new regulatory framework and includes suggestions for improving due diligence efforts as well as market-based approaches for negotiating contractual protections with cloud service providers.Read More
The European Union’s General Data Protection Regulation (GDPR) has multiple levels of provisions that can be complicated for organizations that require a consumer’s consent to process their data. In an interview with Marianne Kolbasuk McGee of Bank Info Security, Elizabeth (Liz) Harding, shareholder in Polsinelli’s Tech Transitions and Data Privacy practice, weighs in on the common misconceptions of GDPR compliance and regulatory changes.Read More
The Federal Trade Commission recently entered into settlement agreements with four companies regarding claims that the companies misrepresented their compliance with the EU-U.S. Privacy Shield Framework. Each company indicated on its website that it actively participated in the EU-U.S. Privacy Shield.Read More
By: Randall Stempler
After just recently enacting the broadest United States privacy law, the California Consumer Privacy Act of 2018, California took the lead once again by enacting a law for the “Security of Connected Devices,” commonly known as the Internet of Things. Both laws will become effective on January 1, 2020.Read More
By: Allison Trimble
The U.K. Information Commissioner’s Office announced it will impose the maximum fine of $660,000 for Facebook’s breach of the U.K. Data Protection Act (see Notice of Intent). The breach, which includes both the failure to safeguard personal information and the failure to provide transparency as to how personal information was harvested by others, is tied to the Cambridge Analytica scandal in which the personal information of 87 million Facebook users was improperly shared with third parties without such users’ consent.Read More
The FTC recently announced a revised settlement with Uber Technologies, Inc. (“Uber”) in which the ride-sharing company has agreed to expand the proposed settlement it reached with the FTC last year over charges that Uber deceived consumers about its privacy and data security practices.Read More
By: Reece Clark
Software escrow arrangements are gaining increasing importance in complex technology deals. Software escrows can be an effective way to mitigate certain future risks involving the licensing of commercial software, a SaaS service, or some other technology product. The application of escrow principles to technology deals comes with unique considerations for parties seeking such services. This article explores basic software escrow principles and best practices.Read More
By: Greg Kratofil
Speaking at the National HIPAA Summit in Arlington, VA this past week (April 3, 2018), the Federal Trade Commission (FTC) highlighted the importance of healthcare providers having information security agreements in place with vendors. “Companies need to have contracts in place to specifically address privacy and security”, said Molly Crawford, the Chief of Staff for the FTC’s privacy and identification division.
Crawford further provided that new solutions for handling data are not governed by longstanding federal rules and statutes for healthcare privacy and security, including HIPAA. While noting that the FTC works closely with the Department of Health and Human Services, “the FTC is the primary consumer protection agency” Crawford said and reinforced the role the FTC will play in protecting consumer data.Read More
There is an increased interest in cyber security insurance for businesses amid frequent news of computer hacking, network intrusions, data theft, and high-profile ransomware attacks. Since cyber security insurance is relatively new to the market, many companies lack a basic understanding of what their policy covers and what it may not.Read More
By: Zuzana S. Ikels
The Second Circuit recently addressed a matter of first impression, interpreting the scope and effect of the FCC’s Healthcare Exception from violations of the Telephone Consumer Protection Act (“TCPA”) to healthcare providers for contacting patients about their care. In Latner v. Mt. Sinai Health Center, the patient came for a routine visit and signed a written consent form containing his contact information and granted consent to Mt. Sinai to use his health information “for payment, treatment and hospital operations purposes.” Ten years later, the patient received a single text message reminding him to get an immunization shot. The plaintiff sued, asserting it violated the TCPA.
By Reece Clark
As the world rings in 2018, privacy experts collectively brace for a new year of information security challenges. While ransomware, denial of service attacks, and endpoint security vulnerabilities will remain top of mind in 2018, new threats and risk factors will also emerge. Likewise, traditional hacking threats are likely to be more sophisticated in 2018, with new and more powerful hacking tools in the hands of bad actors. Businesses, consumers, and governments must remain vigilant in their information security posture as they face these new and diverse cybersecurity challenges. Polsinelli on Privacy looks at four areas of information security poised to make headlines in 2018.Read More
By Reece Clark
Consumers can expect increased competition, efficiency, and innovation in the payment services sphere when the European Union’s long-anticipated revised Payments Service Directive (“PSD2”) comes into effect on January 13, 2018. However, European banks and service providers will not be required to immediately harden their customer data exchange security measures in response. According to a recent press release from the European Commission, payments service providers will have up to 18 months after the release of the PSD2’s Regulatory Technical Standards (“RTS”) to upgrade their payment security systems. RTS is slated for release in September 2019, giving market players until Q1 2021 to move their systems and procedures into compliance.Read More
In a new policy enforcement statement, the Federal Trade Commission (“FTC”) has provided additional guidance on when verifiable parental consent must be obtained for a website operator or provider of online services to receive or use voice recordings from children under 13. Under the Children’s Online Privacy Protection Act (“COPPA”), verifiable parental consent must be obtained prior to collecting personal information from children over the internet. The definition of “personal information” includes audio files such as voice recordings. 16 C.F.R. § 312.2. However, in the recent policy enforcement statement, the FTC has stated it will not take enforcement action (subject to the limitations described below) against parties who do not obtain parental consent when a voice recording is used “solely as a replacement of written words” so long as the voice recording is (a) briefly used solely for that purpose; and (b) is deleted immediately thereafter. In doing so, the FTC made a distinction between voice recordings that are made in connection with purposes such as verbal searches or verbal instructions to a connected device and voice recordings that are made for other purposes. According to the FTC, voice recordings made for the purpose of verbal searches and verbal instructions are the result of a technological evolution where voice is beginning to replace written words in some scenarios.Read More
The EU-U.S. Privacy Shield has passed its first test: the first joint annual review. If your organization has been waiting for a positive review of the Privacy Shield to join, now is a good time to consider moving forward.
The European Commission and the U.S. Department of Commerce conducted the first joint annual review of the Privacy Shield in September. The joint annual review helps ensure that the Privacy Shield remains “adequate” under EU data protection law over time. The European Commission’s published report following the review generally expresses support for the Privacy Shield—with some noted opportunities for improvement, including increased enforcement activity and efforts to raise awareness among EU residents of their Privacy Shield rights.Read More
Several news reports today sounded the alarm that the WPA2 protocol, currently the most popular method of securing Wi-Fi communications, is vulnerable to the “KRACK” attack. Despite the amusing name, this vulnerability is extremely serious.
KRACK stands for Key Reinstallation Attack. In essence, this attack tricks Wi-Fi enabled devices into reinstalling the “nonce,” which is a randomly generated, one-time numerical key used to encrypt communications between the targeted device and the router/gateway. Once the attacker has compromised this key, it can eavesdrop on the packets that are sent to/from the target device or, alternatively, it can forge packets to inject viruses or other malicious code onto a target machine.Read More
On September 5, 2017, the Ninth Circuit Court of Appeals reversed a district court’s decision granting Turn Inc.’s motion to compel arbitration of a putative, privacy class action related to targeted adverting efforts on mobile devices.
In Re Anthony Henson and William Cintron v. Turn, Inc. was filed in the Northern District of California by two Verizon cellular and data subscribers against Turn. The case reflects a notable pivot in strategy in data privacy litigation. Data privacy cases have, previously, been directed at the webpage/content-providers or telecommunication providers that shared or processed users’ online activities. The plaintiffs in Henson did not sue Verizon or the webpages; instead, they sued the technology companies that enable the targeting.Read More
Three University of California-Berkeley researchers have written a paper discussing the first “practical approach for differential privacy.” This new method, referred to as “Elastic Sensitivity,” excludes the components of tables in large data sets and big data databases that contain individual information from the other data before running the query.Read More
In June 2017, the Health Care Industry Cybersecurity Task Force issued its Report on Improving Cybersecurity in the Health Care Industry. To view the report, click here.
The task force was created by Congress as part of the Cybersecurity Act of 2015, and is comprised of subject matter experts from the public and private sector that evaluated the cybersecurity threats, the security of IT systems, and the regulations and laws that relate to the health care industry. In the Report, the task force discusses the evolution and transition from paper to electronic healthcare records (“EHR”), and tailors the recommendations to encourage opportunities for efficiencies, research and sharing of information, while responding to the increasing threat of cybersecurity breaches to the health care providers’ technical infrastructure.Read More