Recently proposed legislation in Ohio could provide businesses with special protection from lawsuits in the event of a hack under certain circumstances. Senate Bill 220 would shelter businesses that have been proactive in instituting defenses to guard against data breaches. The idea is to encourage firms to voluntarily enact privacy protections by promising them the ability to later claim an affirmative defense in court should a hack still occur.

Other states already require businesses to meet specific standards with regard to providing cyber security protections and preventing data breaches. In New York, businesses licensed by the Department of Financial Services (DFS) must meet compliance standards in accordance with DFS cybersecurity regulations. These standards require licensees to have a written cybersecurity program in place, maintain a cybersecurity policy that covers 14 regulation-specific areas, designate a qualified employee as a Chief Information Security Officer, and implement an incident response plan, among additional imperatives. Similarly, states differ with regard to their requirements of businesses in providing data breach notices. For example, in Massachusetts, notices must be provided to the affected resident, the Attorney General’s office, and to the Office of Consumer Affairs and Business Regulation (OCABR).

Ohio’s Senate Bill 220 is interesting in that it does not lay out a minimum set of standards that, if not met, could serve as grounds for litigation in the event of a breach. Businesses will be tasked with instituting their own cybersecurity programs using one of eight industry-specific frameworks developed by the National Institute of Standards and Technology. The legislation provides for an evolving standard, which means lawmakers won’t have to continually revisit the issue to update a minimum set of standards. Whether or not a business qualifies for the safe harbor provision will be up to a judge to determine if such business has met its burden. Ultimately, the key takeaway is that this new legislation will provide for compliance as an affirmative defense for businesses facing a lawsuit as a result of a data breach.

The Mintz Levin team will continue to monitor this pending legislation and update our readers as it develops.

Consumers are increasingly turning to health apps for a variety of medical and wellness-related purposes. This has in turn caused greater amounts of data—including highly sensitive information—to flow through these apps. These data troves can trigger significant compliance responsibilities for the app developer, along with significant legal and contractual risk.   It’s mission-critical to the successful development (and future viability) of a health app to consider the privacy issues up front (otherwise known as “privacy by design“) because it is cheaper to build it in than it is to remediate.

(Note:  This was originally posted as part 6 of a 7-part series on Building a Health App? on our sister blog, Health Law & Policy Matters.)

 

Continue Reading HIPAA and Other Privacy Considerations at Play when Building a Health App

The clock is ticking down to May 25, 2018 , the date that the European Union’s General Data Protection Regulation (GDPR) goes into effect.   The GDPR is likely to be a game-changer for US companies doing business with the European Union, and many are racing against the clock to figure out exactly what their compliance obligations are.

We are presenting an in-person seminar in three cities to help make sure your company is on the right course to GDPR compliance.

Join us in either Boston, New York or Washington, DC for a look at GDPR Essentials and GDPR Hot Topics.    Register here.

Mintz Levin is an approved CLE provider and this seminar is accredited in California and New York.   We are also approved by the International Association of Privacy Professionals for IAPP CPE credit.

It’s time for our monthly review of insights and news related to the Telephone Consumer Protection Act (TCPA).   The October issue examines a ruling from the U.S. Court of Appeals for the Third Circuit, which held that plaintiffs can use affidavits to help meet the standard for TCPA class certification.  In addition, the review covers a U.S. Senate hearing on the Do Not Call Registry and Federal Communications Commission activity related to robocalls and aspects of the TCPA’s prior express consent requirements.

Click here to read on.

 

Has your company recently beefed up its employee identification and access security and added biometric identifiers, such as fingerprints, facial recognition, or retina scans?  Have you implemented new timekeeping technology utilizing biometric identifiers like fingerprints or palm prints in lieu of punch clocks?  All of these developments provide an extra measure of security control beyond key cards which can be lost or stolen, and can help to control a time-keeping fraud practice known as “buddy punching.”  If you have operations and employees in Illinois (or if you utilize biometrics such as voice scans to authenticate customers located in Illinois), your risk and liability could have increased with the adoption of such biometric technology, so read on ….  Continue Reading The Law of Unintended Consequences: BIPA and the Effects of the Illinois Class Action Epidemic on Employers

The Federal Trade Commission (FTC) clarified in recent guidance how the Children’s Online Privacy Protection Act (COPPA) applies to internet-connected device companies and other businesses that collect and use children’s voice recordings.

COPPA compliance is necessary for all commercial websites and online or mobile service operators that collect personal information of children under the age of 13. Previously, the FTC has released clarifying updates regarding requirements for companies obtaining verifiable parental consent and the applicability of the law to educational institutions and businesses that provide online services to educational institutions. More recently, it has become important for new business models, such as those involved with Internet of Things devices, to understand how they can remain in compliance with COPPA obligations. In light of COPPA enforcement actions in recent years, we have prepared a helpful guide to ensure businesses know how to avoid violations. Continue Reading FTC Provides Additional Guidance on COPPA Policy for Voice Recordings

Spoiler Alert: Behavioral advertising companies will find some bad news in the guidance.

The Article 29 Working Party (WP29) advisory group, which will soon become the more transparently-named (and very powerful) European Data Protection Board, is busy drafting and issuing guidance documents to help organizations understand how European data protection authorities will interpret various requirements of the General Data Protection Regulation (GDPR).  WP29 recently issued draft guidance relating to automated decision-making and profiling that will be critical for all organizations that conduct those activities. The draft guidance is open for comments until Nov. 28, 2017.  This post recaps some of the particularly interesting aspects of the draft guidance, which can be found in full here (scroll down to the items just above the “Adopted Guidelines” section).

But first, what counts as automated decision-making under the GDPR?  And what is “profiling”? Continue Reading Key GDPR Guidance on Behavioral Advertising, Profiling and Automated Decision-Making

As was generally expected from informal comments by EU representatives, Privacy Shield has survived its first annual review.  Commissioner Jourova stated: “Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation.”  Specifically, the Commission highlighted the following in the press release today in which it announced its conclusions:

  • More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce. The U.S. Department of Commerce should also conduct regular searches for companies making false claims about their participation in the Privacy Shield.
  • More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.
  • Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.
  • Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorisation and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
  • To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).

It’s worth noting the recommendation regarding enshrining the protections for non-Americans under Presidential Policy Directive 28 in the reauthorization of Section 702 — while President Trump has not withdrawn PPD-28, it’s not a given that protection for foreigners will be built into FISA.

The full report is available here.

This week’s disclosure that a 2013 data breach may have affected all 3 billion Yahoo accounts then in existence could alter the scope of the consolidated data breach cases currently pending against Yahoo in the federal court in San Francisco. In the wake of the court’s August 30 order denying Yahoo’s motion to dismiss the case, the parties have been in the process of negotiating a schedule for discovery and motion practice. The parties had been due to make their joint scheduling submission to the Court today. However, just last night, Judge Lucy Koh issued an order postponing the submission deadline in order to allow the parties to address the impact of Yahoo’s recent disclosure. The court ordered Yahoo to “disclose to Plaintiffs available information regarding the recent data breach disclosure by October 6, 2017, so that the Joint Case Management Statement can propose a realistic amended case schedule.” The court also directed that Yahoo “expedite its production of discovery regarding the recent data breach disclosure and include a proposal to do so” in the parties’ joint scheduling submission, which is now due to be submitted on October 11, 2017.

Continue Reading 3 Billion Compromised Yahoo Accounts May Yield Largest Plaintiff Class Ever

EU laws concerning the transfer of employee personal data to the US are complex, and penalties for getting it wrong are set to increase dramatically when the General Data Protection Regulation (GDPR) goes into effect in May 2018. Whether you’re in-house counsel, a human resources professional, or a business owner, join us for a review of the current options for transferring personal data, including under Privacy Shield, and a preview of the new landscape under GDPR.

New York and California CLE credit available – register here –