Recently proposed legislation in Ohio could provide businesses with special protection from lawsuits in the event of a hack under certain circumstances. Senate Bill 220 would shelter businesses that have been proactive in instituting defenses to guard against data breaches. The idea is to encourage firms to voluntarily enact privacy protections by promising them the ability to later claim an affirmative defense in court should a hack still occur.

Other states already require businesses to meet specific standards with regard to providing cyber security protections and preventing data breaches. In New York, businesses licensed by the Department of Financial Services (DFS) must meet compliance standards in accordance with DFS cybersecurity regulations. These standards require licensees to have a written cybersecurity program in place, maintain a cybersecurity policy that covers 14 regulation-specific areas, designate a qualified employee as a Chief Information Security Officer, and implement an incident response plan, among additional imperatives. Similarly, states differ with regard to their requirements of businesses in providing data breach notices. For example, in Massachusetts, notices must be provided to the affected resident, the Attorney General’s office, and to the Office of Consumer Affairs and Business Regulation (OCABR).

Ohio’s Senate Bill 220 is interesting in that it does not lay out a minimum set of standards that, if not met, could serve as grounds for litigation in the event of a breach. Businesses will be tasked with instituting their own cybersecurity programs using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology. The legislation provides for an evolving standard, which means lawmakers won’t have to continually revisit the issue to update a minimum set of standards. Whether or not a business qualifies for the safe harbor provision will be up to a judge to determine if such business has met its burden. Ultimately, the key takeaway is that this new legislation will provide for compliance as an affirmative defense for businesses facing a lawsuit as a result of a data breach.

The Mintz Levin team will continue to monitor this pending legislation and update our readers as it develops.

The clock is ticking down to May 25, 2018 , the date that the European Union’s General Data Protection Regulation (GDPR) goes into effect.   The GDPR is likely to be a game-changer for US companies doing business with the European Union, and many are racing against the clock to figure out exactly what their compliance obligations are.

We are presenting an in-person seminar in three cities to help make sure your company is on the right course to GDPR compliance.

Join us in either Boston, New York or Washington, DC for a look at GDPR Essentials and GDPR Hot Topics.    Register here.

Mintz Levin is an approved CLE provider and this seminar is accredited in California and New York.   We are also approved by the International Association of Privacy Professionals for IAPP CPE credit.

The Federal Trade Commission (FTC) clarified in recent guidance how the Children’s Online Privacy Protection Act (COPPA) applies to internet-connected device companies and other businesses that collect and use children’s voice recordings.

COPPA compliance is necessary for all commercial websites and online or mobile service operators that collect personal information of children under the age of 13. Previously, the FTC has released clarifying updates regarding requirements for companies obtaining verifiable parental consent and the applicability of the law to educational institutions and businesses that provide online services to educational institutions. More recently, it has become important for new business models, such as those involved with Internet of Things devices, to understand how they can remain in compliance with COPPA obligations. In light of COPPA enforcement actions in recent years, we have prepared a helpful guide to ensure businesses know how to avoid violations. Continue Reading FTC Provides Additional Guidance on COPPA Policy for Voice Recordings

Executive summary:  The EU’s standard contractual clauses may be on the fast track to invalidation, putting a vast number of personal data transfers from the EEA at risk.  A case brought by Maximilian Schrems (whose first complaint resulted in the invalidation of Safe Harbor) has been referred to the EU’s highest court, via a 153-page Irish High Court decision that provides ample ammunition to those who would like to see the standard contractual clauses struck down.  Although aimed at Facebook, the consequences of the decision are virtually certain to affect all US companies that rely on the standard contractual clauses.

Many companies around the world rely on the EU’s standard contractual clauses (also known as the model clauses, and referred to in this article as the “SCCs”) as the legal basis for transferring personal data from the European Economic Area (EEA) to countries whose privacy laws have not been found adequate by the EU Commission.  The SCCs are private contracts, and while some EEA countries require that parties that enter into SCCs deposit a copy, other countries do not, so no one knows for sure how many companies rely on the SCCs.  But the answer is probably “an awful lot of companies.”  Given the data flows between the EEA and US, and the fact that, as of today, only around 2,500 companies rely on Privacy Shield as the legal basis for the data transfers, it’s safe to assume that for US companies, the standard contractual clauses are the primary mechanism for transferring personal data to the US.

The SCCs have been subject to a legal challenge by Maximillian Schrems (often called the Schrems II case) that has just reached a critical inflection point: The Irish High Court has just issued a decision referring to the Court of Justice of the EU (CJEU) the question of whether the SCCs are invalid.  The main thrust of the invalidity argument is the assertion that US national security laws do not offer adequate levels of protection for the rights of EU residents.  In particular, the argument runs, EU residents lack a meaningful remedy before US courts for uses of their personal data by US national security agencies that are inconsistent with those persons’ rights under EU law. Continue Reading Will the EU box itself in?  Fate of Standard Contractual Clauses (aka the Model Clauses) for personal data transfers is now in the hands of the EU’s highest court

As data breaches dominate national headlines it remains important as ever for businesses to invest in security and to be ready to respond if a breach occurs.  Part of your preparedness program should be staying current on data breach legislation at the state level and we are here to help with a new installment of our “Mintz Matrix,” a detailed survey of U.S. state data breach notification laws.

There have been a few notable developments since we last published an update of the Mintz Matrix and below we have provided a snapshot of these changes.  Before reading on please download a copy of our September 2017 edition of the Mintz Matrix by clicking here. Continue Reading The Mintz Matrix – September 2017

Many companies have started the potentially lengthy process of auditing their service provider contracts to make sure that they comply with the requirements of the General Data Protection Regulation, which comes into force on May 25, 2018.

Fortunately for those companies that are trying to kick-start their contract audit process, the UK Information Commissioner’s Office (ICO) is forging ahead with its promised series of guidance documents to help companies get ready for the GDPR. The latest addition is a draft guidance note on the GDPR’s requirements for contracts between data controllers (the folks who make decisions about what personal data will be processed, and for what purposes) and data processors (the folks who carry out processing activities on behalf of a data controller).

The requirement that there be a contract between data controllers and their data processors is not itself new.  Current EU data protection law requires data controllers to have contracts with data processors governing the security of the personal data held by the processor and requiring processor to process the personal data solely in accordance with the instructions of the controller.

But the contract requirements under the GDPR are much more expansive. Continue Reading Have you started auditing your contracts with your service providers that handle EU personal data?  UK Information Commissioner’s Office issues draft guidance for compliance with the GDPR’s contracting requirements.  

 Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data….This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”  

–Acting Federal Trade Commission Chair Maureen K. Oldhausen, In the Matter of Uber Technologies, Inc., Consent Order

To read more about this important FTC Consent Order and its implications for all companies with respect to privacy policies and the promises made to users/consumers, check out this Mintz Levin Privacy Alert.

 

 

 

If you are one of the many businesses licensed by the New York Department of Financial Services (DFS), and cannot avail yourself of the (very) limited exemptions, you must be ready for the first compliance transition date for the stringent DFS cybersecurity regulations – August 28, 2017.

Just in case you’d forgotten, the DFS cybersecurity regulations became effective March 1, 2017 and you can refresh your memory here. Continue Reading Are You Ready for the New York August 28th Compliance Deadline?  

If you are a retailer with locations in New Jersey, you will need to review your procedures in anticipation of a new law effective October 1, 2017. 

New Jersey Governor Chris Christie has signed the Personal Information Privacy and Protection Act (we can now add #PIPPA to the alphabet soup of privacy acronyms…..), which limits the ability of retailers to collect PII scanned from customer driver’s licenses and identification cards and restricts the usage of any PII collected for the purposes identified in the Act.

Within recent years, retailers have commonly started a practice of scanning the barcodes on customer ID cards to verify the authenticity of an ID presented, verify identity when credit cards are used, or to prevent and control fraudulent merchandise return practices (or to identify consumers who abuse return policies).

Under PIPPA, retailers will only be permitted to scan ID cards to:

  • Verify the card’s authenticity or the person’s identity, if the customer pays for goods or services with a method other than cash; returns an item; or requests a refund or exchange.
  • Verify the customer’s age when providing age-restricted goods or services to the customer.
  • Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the retailer uses a fraud prevention company or service.
  • Establish or maintain a contractual relationship.
  • Record, retain, or transmit information as required by state or federal law.
  • Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by federal laws, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Fair Debt Collection Practices Act.
  • Record, retain, or transmit information by a covered entity under HIPAA and related regulations.

PIPPA prohibits retailers from sharing the information with marketers or other third parties that are unknown to consumers.   It is unlikely that an online privacy notice describing sharing of scanned ID information with third parties would comply with PIPPA.  In-store notice of any such practices will likely be required.

The big “however” in this legislation is the restrictions on retention of the information when collected for the permitted purposes.  Under PIPPA businesses cannot retain information related to how the customer paid for the goods, whether the customer returned an item or requested a refund, and cannot store ages.   Retailers will only be permitted to collect the customer’s name, address, and date of birth; the issuing state; and the ID card number.    Any of this information collected from scanned ID cards Is required to be “securely stored” and PIPPA makes it clear that any security breach of this information is subject to New Jersey’s data breach notification law and must be reported to any affected individual and the New Jersey State Police.

And there are penalties.   PIPPA provides civil penalties of $2,500 for a first offense, and $5,000 for any subsequent offices.   Further the law allows for “any person aggrieved by a violation” to bring an action in NJ Superior Court to recover damages.

 


Decisions you make when founding and/or investing in an insurtech venture can dictate your regulatory obligations, tax liability, operational structure and, ultimately, profitability.

Here are five seemingly simple questions to ask when launching an insurtech venture (and do not miss question #3): Continue Reading Five Questions for Investors in Insurtech