The European Union’s General Data Protection Regulation (GDPR) has multiple levels of provisions that can be complicated for organizations that require a consumer’s consent to process their data. In an interview with Marianne Kolbasuk McGee of Bank Info Security, Elizabeth (Liz) Harding, shareholder in Polsinelli’s Tech Transitions and Data Privacy practice, weighs in on the common misconceptions of GDPR compliance and regulatory changes.Read More
Polsinelli on Privacy | Privacy and Data Security Blog
In an increasingly competitive environment, effectively leveraging technology can be the difference between success and failure for companies in all sectors of the economy. Protecting your data and securing employee/end user privacy – this is the goal of Polsinelli’s Privacy and Data Security practice and it’s what keeps us up at night.
We offer compliance and security counseling, transactional support, data breach rapid response, and breach litigation and counseling. In 2017 we were named a Leader by BTI in their annual "Law Firms Best at Cybersecurity" ranking.
By: Randall Stempler
After just recently enacting the broadest United States privacy law, the California Consumer Privacy Act of 2018, California took the lead once again by enacting a law for the “Security of Connected Devices,” commonly known as the Internet of Things. Both laws will become effective on January 1, 2020.Read More
By: Allison Trimble
The U.K. Information Commissioner’s Office announced it will impose the maximum fine of $660,000 for Facebook’s breach of the U.K. Data Protection Act (see Notice of Intent). The breach, which includes both the failure to safeguard personal information and the failure to provide transparency as to how personal information was harvested by others, is tied to the Cambridge Analytica scandal in which the personal information of 87 million Facebook users was improperly shared with third parties without such users’ consent.Read More
The FTC recently announced a revised settlement with Uber Technologies, Inc. (“Uber”) in which the ride-sharing company has agreed to expand the proposed settlement it reached with the FTC last year over charges that Uber deceived consumers about its privacy and data security practices.Read More
By: Reece Clark
Software escrow arrangements are gaining increasing importance in complex technology deals. Software escrows can be an effective way to mitigate certain future risks involving the licensing of commercial software, a SaaS service, or some other technology product. The application of escrow principles to technology deals comes with unique considerations for parties seeking such services. This article explores basic software escrow principles and best practices.Read More
In a new policy enforcement statement, the Federal Trade Commission (“FTC”) has provided additional guidance on when verifiable parental consent must be obtained for a website operator or provider of online services to receive or use voice recordings from children under 13. Under the Children’s Online Privacy Protection Act (“COPPA”), verifiable parental consent must be obtained prior to collecting personal information from children over the internet. The definition of “personal information” includes audio files such as voice recordings. 16 C.F.R. § 312.2. However, in the recent policy enforcement statement, the FTC has stated it will not take enforcement action (subject to the limitations described below) against parties who do not obtain parental consent when a voice recording is used “solely as a replacement of written words” so long as the voice recording is (a) briefly used solely for that purpose; and (b) is deleted immediately thereafter. In doing so, the FTC made a distinction between voice recordings that are made in connection with purposes such as verbal searches or verbal instructions to a connected device and voice recordings that are made for other purposes. According to the FTC, voice recordings made for the purpose of verbal searches and verbal instructions are the result of a technological evolution where voice is beginning to replace written words in some scenarios.Read More
On September 5, 2017, the Ninth Circuit Court of Appeals reversed a district court’s decision granting Turn Inc.’s motion to compel arbitration of a putative, privacy class action related to targeted adverting efforts on mobile devices.
In Re Anthony Henson and William Cintron v. Turn, Inc. was filed in the Northern District of California by two Verizon cellular and data subscribers against Turn. The case reflects a notable pivot in strategy in data privacy litigation. Data privacy cases have, previously, been directed at the webpage/content-providers or telecommunication providers that shared or processed users’ online activities. The plaintiffs in Henson did not sue Verizon or the webpages; instead, they sued the technology companies that enable the targeting.Read More
Few issues keep executives awake at night more than Privacy and Data Security. New regulations and threats alike are plentiful, varied, and evolving. The rate of change for cybersecurity and information governance continues to increase, while corporate budgets to address them remain stretched.
As your organization prepares for 2017, data security, privacy compliance, and new technological threats are sure to be on your list of priorities. This guide highlights some key Privacy and Data Security trends and expectations for the new year. Organizations that are well prepared to address the issues highlighted in this guide will be better positioned to mitigate risk and strengthen compliance efforts.Read More
By Jean Marie R. Pechette and Daniel L. Farris
As the May 2018 effective date of the General Data Protection Regulation’s (GDPR) looms, U.S. companies have had to expand their investment in implementing measures to ensure compliance with the GDPR. According to a recent PwC Pulse Survey, 92% of respondents considered GDPR a “top priority” in 2017, with 77% of companies planning to allocate more than $1 million, and 68% saying their budget falls between $1 million and $10 million.Read More
In the past year, the Department of Health and Human Services, Office for Civil Rights (OCR) has issued a number of guidance documents* to clarify its interpretation of key requirements set forth in the HIPAA Privacy and Security Rules (45 C.F.R. Part 160, 162, and 164) (collectively, the HIPAA Rules). Its latest guidance clarifies OCR’s position on cloud service providers (CSPs) as business associates (the Cloud Guidance), and the related requirements under the HIPAA Rules through a series of FAQs. Importantly, the Cloud Guidance applies to all CSPs equally, regardless of the level of functionality or services provided (e.g., the provision of an electronic medical record system on the cloud, versus limited application hosting).
OCR kicked off the Cloud Guidance by clarifying its position on an issue that Covered Entities and CSPs have continued to debate for quite some time - whether a CSP is a business associate if the Protected Health Information (PHI) that is stored in its cloud is encrypted and the CSP does not possess the encryption key.Read More
By Amanda J. Katzenstein
More than 700 companies have self-certified to comply with the Privacy Shield in the two months since the Department of Commerce began accepting submissions. The number of applications is expected to rise as the September 30, 2016 deadline for a special grace period looms, and the number is expected to slow down after October 1, 2016 because the compliance obligations increase after the deadline.Read More
By JJ Bollozos, Joseph D. McClendon, and Daniel L. Farris
For thousands of U.S. companies left in limbo after the invalidation of Safe Harbor last year, relief has finally arrived. The European Commission (“EC”) formally approved and adopted the new trans-Atlantic Privacy Shield data transfer pact on Tuesday, opening the door for new certification and EU-US data transfers.Read More
Despite the fact that Business Associates have been directly subject to and liable under the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) since February 18, 2010 (the effective date of the relevant provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act), the Department of Health & Human Services, Office for Civil Rights (OCR), announced last Thursday, June 30, 2016, that it has entered into its first resolution agreement with a HIPAA Business Associate.Read More
By Daniel L. Farris
As markets tumble and many business leaders try to predict what the Brexit may mean for their organizations, privacy officers should remember the neo-classic British refrain: Keep Calm and Carry On.
There may be turmoil, confusion, new regulations, and new compliance regimes ahead, but it will likely take years for the UK to untangle itself from the European Union, and even then the UK may well remain within the European Economic Area. For US companies with transatlantic operations, the best course is to continue a measured but deliberate approach towards eventual GDPR compliance.Read More
Dwolla, Inc., a company that claims secure, ready-to-use payment tools used to simplify how people send or receive money from anyone in the U.S., has been hit with a $100,000 penalty and an annual data-security audit compliance plan. Dwolla, based in Des Moines, Iowa, has collected and stored sensitive personal information from consumers since 2009, such as address, date of birth, telephone number and Social Security number. In addition, consumers provide their bank account and routing number to link their bank accounts to their Dwolla account. Dwolla has approximately 653,000 members and transfers as much as $5,000 per day.Read More
A few days ago, the Federal Trade Commission issued warning letters to 12 application developers because the apps use the software, Silverpush. According to the FTC, Silverpush is designed to monitor a user’s television use regardless of whether the user is actively using the particular app, enabling it to provide a detailed record of the consumer’s' television use for the purpose of marketing analytics and targeted advertising. The FTC instructed the app developers to notify consumers if the software is being used in the U.S., which Silverpush claims it is not.Read More
By Dov H. Scherzer and By Daniel L. Farris
The European Commission and United States Department of Commerce agreed to a new transatlantic data transfer pact on Tuesday, two days after the January 31st deadline imposed by European data protection authorities. The deal comes four months after the European Court of Justice invalidated the Safe Harbor Agreement in Schrems v. Data Protection Commissioner.Read More
Last Friday, the Eleventh Circuit addressed a question of first impression at the appellate level – namely, when is a user of a free mobile application a “subscriber” under the Video Privacy Protection Act (“VPPA”). In Ellis v. the Cartoon Network, Plaintiff downloaded defendant Cartoon Network’s free mobile app to watch video clips and shows. Without plaintiff’s knowledge or consent, the app monitored and tracked his viewing habits. The app did not collect plaintiff’s name or other contact or financial information; rather, it tracked him based upon a unique number identifier associated with his device. The info was then shared with third party marketing companies. Plaintiff filed a putative class action alleging the app violated VPPA. VPPA prohibits video providers from disclosing the personal information of a “consumer” to a third party, without prior consent, assessing a $2,500 statutory penalty per violation.Read More
The fallout from the EU Court of Justice (EJC) Schrems decision invalidating the Safe Harbor continues.
As posted earlier this month, the national Data Protection Authorities (DPAs) from across the EU met under the auspices of the Article 29 Working Party (Working Party) to discuss the consequences to be drawn from the ECJ’s ruling.Read More
By Daniel L. Farris
The seemingly unending reports of high profile data breaches have been a boon for privacy and data security startups, the Wall Street Journal recently reported. Venture firms have invested $1.2 billion in cybersecurity startups through the first half of 2015.
All of this investment makes privacy and data security big business, and demonstrates the importance that cybersecurity will have to economic growth going forward. The investments, however, demonstrate something else – risk. Not just the risk that investors in startup companies will have, but the increased risks established organizations will have in selecting good vendors to secure their products and services.Read More