Photo of Cynthia Larose

Cynthia Larose is a Member in Mintz Levin’s Corporate Group and leads our Privacy and Security practice. She is a Certified Information Privacy Professional, working with clients in various industries to develop comprehensive information security programs on the front end, and providing timely counsel when it becomes necessary to respond to a data breach.

EU laws concerning the transfer of employee personal data to the US are complex, and penalties for getting it wrong are set to increase dramatically when the General Data Protection Regulation (GDPR) goes into effect in May 2018. Whether you’re in-house counsel, a human resources professional, or a business owner, join us for a review of the current options for transferring personal data, including under Privacy Shield, and a preview of the new landscape under GDPR.

New York and California CLE credit available – register here – 

 

As data breaches dominate national headlines it remains important as ever for businesses to invest in security and to be ready to respond if a breach occurs.  Part of your preparedness program should be staying current on data breach legislation at the state level and we are here to help with a new installment of our “Mintz Matrix,” a detailed survey of U.S. state data breach notification laws.

There have been a few notable developments since we last published an update of the Mintz Matrix and below we have provided a snapshot of these changes.  Before reading on please download a copy of our September 2017 edition of the Mintz Matrix by clicking here. Continue Reading The Mintz Matrix – September 2017

As if the devastating effects of Hurricane Harvey are not bad enough, the United States Computer Emergency Readiness Team (US-CERT) of the Department of Homeland Security is warning of a different threat:  falling victim (or exposing your entire company) to Harvey-related phishing schemes.

Fraudulent emails carrying malware payloads or directing users to phishing or malware-infected websites have been identified and US-CERT is issuing cautions.  Emails requesting donations or appearing as “breaking news” alerts often appear during and after major natural disasters.

The warning continues:

US-CERT encourages users and administrators to use caution when encountering these types of email messages and take the following preventative measures to protect themselves from phishing scams and malware campaigns:

Make sure to take a minute and remind your network users about this scam so that we don’t create a new set of Harvey-related victims out of those who were just trying to help.

 

 Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data….This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”  

–Acting Federal Trade Commission Chair Maureen K. Oldhausen, In the Matter of Uber Technologies, Inc., Consent Order

To read more about this important FTC Consent Order and its implications for all companies with respect to privacy policies and the promises made to users/consumers, check out this Mintz Levin Privacy Alert.

 

 

Mintz Levin continues to be at the forefront of issues related to contractual arbitration provisions, helping clients optimize their dispute resolution and risk mitigation processes. Check out our sister blog’s latest post, which pieces together a top-10 list of issues in-house counsel should consider when crafting these provisions.   These questions can also apply to the crafting of arbitration clauses in online terms of use and privacy policies.

 

If you are one of the many businesses licensed by the New York Department of Financial Services (DFS), and cannot avail yourself of the (very) limited exemptions, you must be ready for the first compliance transition date for the stringent DFS cybersecurity regulations – August 28, 2017.

Just in case you’d forgotten, the DFS cybersecurity regulations became effective March 1, 2017 and you can refresh your memory here. Continue Reading Are You Ready for the New York August 28th Compliance Deadline?  

Recently, the Electronic Privacy Information Center (“EPIC”) asked the FTC to begin an investigation into a Google program called “Store Sales Management.”  The purpose of Store Sales Management is to allow for the matching goods purchased in physical brick and mortar stores to the clicking of online ads, or as we refer to the practice, “Bricks to Clicks.”

The significance of this is immense.  No longer will advertisers have to wonder how much revenue can be tied to a specific campaign, instead the Store Sales Management will give them insight into how actual consumers who viewed advertisements purchased certain products.  Continue Reading FTC Asked to Investigate Google’s Matching of “Bricks to Clicks”

If you are a retailer with locations in New Jersey, you will need to review your procedures in anticipation of a new law effective October 1, 2017. 

New Jersey Governor Chris Christie has signed the Personal Information Privacy and Protection Act (we can now add #PIPPA to the alphabet soup of privacy acronyms…..), which limits the ability of retailers to collect PII scanned from customer driver’s licenses and identification cards and restricts the usage of any PII collected for the purposes identified in the Act.

Within recent years, retailers have commonly started a practice of scanning the barcodes on customer ID cards to verify the authenticity of an ID presented, verify identity when credit cards are used, or to prevent and control fraudulent merchandise return practices (or to identify consumers who abuse return policies).

Under PIPPA, retailers will only be permitted to scan ID cards to:

  • Verify the card’s authenticity or the person’s identity, if the customer pays for goods or services with a method other than cash; returns an item; or requests a refund or exchange.
  • Verify the customer’s age when providing age-restricted goods or services to the customer.
  • Prevent fraud or other criminal activity if the person returns an item or requests a refund or an exchange and the retailer uses a fraud prevention company or service.
  • Establish or maintain a contractual relationship.
  • Record, retain, or transmit information as required by state or federal law.
  • Transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by federal laws, including the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, and Fair Debt Collection Practices Act.
  • Record, retain, or transmit information by a covered entity under HIPAA and related regulations.

PIPPA prohibits retailers from sharing the information with marketers or other third parties that are unknown to consumers.   It is unlikely that an online privacy notice describing sharing of scanned ID information with third parties would comply with PIPPA.  In-store notice of any such practices will likely be required.

The big “however” in this legislation is the restrictions on retention of the information when collected for the permitted purposes.  Under PIPPA businesses cannot retain information related to how the customer paid for the goods, whether the customer returned an item or requested a refund, and cannot store ages.   Retailers will only be permitted to collect the customer’s name, address, and date of birth; the issuing state; and the ID card number.    Any of this information collected from scanned ID cards Is required to be “securely stored” and PIPPA makes it clear that any security breach of this information is subject to New Jersey’s data breach notification law and must be reported to any affected individual and the New Jersey State Police.

And there are penalties.   PIPPA provides civil penalties of $2,500 for a first offense, and $5,000 for any subsequent offices.   Further the law allows for “any person aggrieved by a violation” to bring an action in NJ Superior Court to recover damages.