Data Protection

Subscribe to Data Protection

The ACC Foundation will be hosting a webcast on April 18, 2018 at 12:00 EDT to discuss the preliminary results of the Foundation’s State of Cybersecurity Report.  This is the second Report of its kind that the ACC Foundation has published.  You can sign up for the webcast here.

The Report surveyed 600 in-house counsel from around the world on a range of cybersecurity issues including data breach response, information security standards, GDPR preparation, vendor management and cyberinsurance.  The Report provides valuable cybersecurity benchmarking in a range of industries and identifies hot button issues for in-house counsel with responsibility for managing their company’s cybersecurity programs to consider.

Ballard Spahr served as a sponsor for the Report (as it did in 2015 for the first Report).  Phil Yannella, co-chair of Ballard’s Privacy & Data Security Group, served on the Advisory Board for the Report and will participate in the webcast.

 

The U.S. Consumer Product Safety Commission (CPSC) recently announced that it will hold a hearing on May 16, 2018, to receive information on potential hazards with Internet of Things (IoT) products.

In its public notice, the CPSC explained that the “purpose of the public hearing . . . is to provide interested stakeholders a venue to discuss potential safety hazards created by a consumer product’s connection to IoT or other network-connected devices; the types of hazards (e.g., electrical, thermal, mechanical, chemical) related to the intended, unintended, or foreseeable misuse of consumer products because of an IoT connection; current standards development; industry best practices; and the proper role of the CPSC in addressing potential safety hazards with IoT-related products.” The notice also clarifies that the hearing “will not address personal data security or privacy implications of IoT devices.”

So why does this matter? 

Continue Reading Data Security Litigation: CPSC to Hold Hearing on The Internet of Things and Consumer Product Hazards

In March, we reported that the Oregon legislature was considering amending its data breach notification and information security laws. That legislation has now passed the Oregon legislature and been signed into law by Oregon’s governor.  A copy of the new law is available here. The most notable changes are as follows:

Continue Reading Oregon Amends Data Breach Notification and Information Security Laws

With the European Union’s General Data Protection Regulation (GDPR) set to go into effect on May 25, 2018, many questions remain as to what entities that control and process data from EU citizens must do to comply. One such issue is the ongoing effort by the Internet Corporation for Assigned Names and Numbers (ICANN) to ensure that the WHOIS service (an online database of identity and contact information for registrants of web domains) complies with GDPR. Continue Reading GDPR And The Future of WHOIS Data

In the absence of federal action, state legislators continue to propose bills that would increase data privacy and security protections for consumers. Any entity that does business in these states or maintains confidential information of their residents should monitor the legislation to determine whether and how the proposed changes may affect operations.

The bills are a reaction to Equifax’s data breach disclosure last summer. In prior alerts and articles, we discussed proposed legislation in Arizona, Colorado, North Carolina, and South Dakota. In this post, we examine legislation being considered in Oregon, New York, Alabama, and Rhode Island.

To put the discussion into context, 48 states already have laws requiring entities to notify affected individuals if the entity suffers a loss or compromise of the individuals’ confidential information. Those laws differ in many respects, resulting in a complex web of legal responsibilities that creates headaches for entities required to comply with them.

The challenge will become even more complex if the proposed bills become law, because, generally speaking, they would:

  • expand the types of confidential information covered under state breach notification requirements;
  • implement specific deadlines for when affected individuals must be notified;
  • require businesses to implement and maintain reasonable security procedures to prevent data breaches; and
  • authorize state attorneys general to enforce these provisions through substantial fines and penalties for non-compliance.

Continue Reading Oregon, New York, Alabama, and Rhode Island Join List of States Considering Data Breach Legislation Post-Equifax

The U.S. Supreme Court heard oral arguments this morning in United States v. Microsoft, No. 17-2, which presents the question whether a United States court may issue a search warrant to a U.S.-based electronic communications service for email account data held on a server outside of the United States.

Here’s the transcript of this morning’s oral argument.  We will blog more about this case — and the important issues at stake — down the road.

The GDPR’s impact on the ability of U.S. litigants to conduct discovery of EU personal data is an issue that has received scant legal analysis. In a recent article for The Legal Intelligencer, Philip N. Yannella discusses the challenges, and potential costs, awaiting U.S. litigants as they attempt to conduct EU discovery under the GDPR.

You can check out the article here.

Time

Add South Dakota (site of Ballard’s newest office) and North Carolina to the list of states considering new data security legislation. South Dakota is poised to become the 49th state to enact a data breach notification law, while North Carolina is considering a very significant expansion of its existing law.

Will South Dakota Become No. 49?

The South Dakota Senate passed SB 62 on January 25, 2018. The bill, which now heads to the South Dakota House of Representatives, generally would require an “information holder” to notify South Dakota residents of any “breach of system security” involving their “personal or protected information.” Subject to certain exceptions, notification to South Dakota residents must be made “not later than sixty days from the discovery or notification of the breach of system security.” The South Dakota Attorney General and “all consumer reporting agencies as defined in 15 U.S.C. § 1681a” also must be notified of breaches involving more than 250 South Dakota residents. Notification to South Dakota residents is not required “if following appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person.” Continue Reading South Dakota and North Carolina Consider New Data Security Legislation

The lawsuit by Austrian lawyer and serial plaintiff, Max Schrems, against Facebook suffered a setback in a ruling by the Court of Justice of the European Union (CJEU) last week. Schrems sought to bring class action-type claims on behalf of 25,000 participants worldwide in his home country of Austria, alleging that Facebook violated European Union privacy law when it assisted the United States National Security Agency’s PRISM surveillance program. Specifically, Schrems alleged that there is no adequate level of protection of European citizens’ Facebook data when it is transferred to the United States, because it could be accessed by US authorities without individualized suspicion. According to Schrems, Facebook’s collaboration with US authorities violated the Austrian data protection law of 2000, the Irish Data Protection Act of 1998, and Directive 95/46/EC of the European Parliament. Continue Reading CJEU Issues Mixed Ruling for Schrems’ Class Action Against Facebook

For those of you heading to Legaltech in New York next week, please join me and a great panel for what promises to be a lively discussion of hot topics in IoT and Mobile Discovery.  I’ve been fortunate enough to have been included in Relativity’s session on this topic at a number of conferences, and this next iteration is shaping up to be our best yet.  Here’s our session description:

From the Iron Rooster to Amazon Alexa: Mobile Discovery and the Internet of Things

Whether it’s missing mobile data (Montgomery v. Iron Rooster-Annapolis, LLC), digital data in a truck (Below v. Yokohama Tire Corp.), Fitbit data (State v. Dabate), or data from an Amazon Alexa (State v. Bates) mobile discovery and data from the Internet of Things (IoT) devices present challenges, not only for litigants and their lawyers, but for corporate organizations, paralegals, and technologists as well. In this session, lawyers and consultants, including a former Department of Justice cybercrime coordinator, a prominent discovery attorney, a corporate information governance expert, and a leading legal industry analyst, will address the legal, technical, and practical considerations of mobile, social, and IoT data, including preservation requirements and data privacy limitations.

Here’s the link to the Legaltech page, in case you haven’t registered yet.  Hope to see you in NYC!