The Mintz Levin Privacy and Security team is pleased to welcome Brian H. Lam to our group of privacy and security professionals.  Brian comes to Mintz with broad experience in data aggregation, network data security, and technology transactions – in particular, the role security infrastructure plays in both technology transactions and M&A transactions.

Brian brings important real-world technical and legal expertise to our clients:  he has undergraduate and graduate degrees in computer science (B.S. and M.S. from University of Colorado); has worked as a network security analyst prior to entering the University of Southern California law school; and is credentialed as a Certified Information Security Professional (CISSP), which is recognized by security professionals around the world as the field’s premier certification program.

 

 

While it’s making few headlines, the European Commission is still working to finalize Privacy Shield, and it’s even possible that Privacy Shield will pass a key hurdle by the end of this month.  The Commission is still scrambling to address the concerns raised by the Article 29 Working Party and the European Data Protection Supervisor concerning the Privacy Shield arrangements that the Commission had negotiated with the US.  (The European Parliament has also criticized Privacy Shield.)  Some of the concerns raised so far have made it necessary for the Commission to negotiate further with the U.S. State Department.  And now the Commission is shortly to present a proposed final version of Privacy Shield to the Article 31 Committee, which represents the Member States.

If the Art. 31 Committee agrees with the Commission, Privacy Shield will be submitted to the College of the Commission for  formal adoption.  If the Art. 31 Committee does not endorse the Privacy Shield arrangements, the Commission will need to consider further how to proceed.  Also, the Council or Commission could intervene as permitted by the comitology procedure (which could result in more pressure on the Commission to negotiate further with the US).

News sources have speculated as to the status of the Article 31 negotiations (see here and here (scroll down)), but given the lack of specific information from the Commission on this point, it’s tough to tell what the real status is.  In any event, while we expect to have some more concrete news by the end of June as to the progress of Privacy Shield, it is unlikely that Privacy Shield will be formally adopted by then.

And it’s important to keep in mind that, as soon as Privacy Shield limps over the finish line (assuming it doesn’t succumb to death by a thousand objections), it will almost certainly face immediate litigation seeking to have the Court of Justice of the EU invalidate it.

PS – for those who’ve been wondering, Brexit (should it occur) is unlikely to result in the UK taking a divergent path from the EU on general data protection rules.

The Department of Homeland Security (DHS) and the Department of Justice (DOJ) have issued the long-awaited final procedures for both Federal and Non-Federal Entities under the Cybersecurity Information Sharing Act (CISA) (“Final Procedures”) that provide information on how DHS will implement CISA.  In addition to the Final Procedures, the agencies also released “Guidance to Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (the “Guidance”).

As we have written previously, a company may share cyber threat indicators (CTIs) and defensive measures (DMs) for cybersecurity purposes “notwithstanding any other provision of law,” and receive certain liability protections for sharing in accordance with the Act.  The Final Procedures and the Guidance are finalized versions of interim guidance previously discussed.  Any decision to share information under CISA is complex and involves factual and legal determinations.

Read on to find out what CTIs and DMs are, and information on the procedures companies must follow to obtain liability protection for sharing CTIs and DMs with the Federal Government.   Continue Reading “Interim” No More: DHS and DOJ Publish Final CISA Guidance on Cybersecurity Sharing 

Last week, the Federal Trade Commission (FTC) announced (press release) that Practice Fusion, the largest cloud-based electronic health company in the United States, has agreed to settle FTC charges over deceptive practices involving the public disclosure of healthcare provider review information collected from consumers that included sensitive personal and medical information. Below is our review of the circumstances of the basis of the FTC complaint, a summary of the terms of the settlement, and a few pointers on how to avoid a similar situation.    There are many lessons to be learned from this FTC complaint for all online providers, not only EHR providers.   Read on ….. Continue Reading Practice Fusion and FTC Settle Complaint Over Deceptive Statements About the Privacy of Consumer-Generated Online Content

Sophisticated phishing scams and muscular hacking efforts continue to compromise personal and sensitive information held by insurers, hospital systems, and businesses large and small. In response, many states have strengthened their data breach notification and have enacted data security laws to enhance data protection obligations imposed on data collectors and to ensure that residents and state regulators receive prompt and adequate notice of security breaches when they do occur.  By mid-summer, a range of new measures will be going into effect in Nebraska, Nevada, Rhode Island and Tennessee. Be sure to review the latest edition of the Mintz Matrix for these new measures.  Continue Reading Illinois Joins the Fray: Strengthens its Laws Around Data Breach Notification and Data Security

 

In this edition of the “Innocents Abroad” series, Susan Foster discusses the privacy considerations that come into play when an employee loses a laptop containing customer data abroad!

 

From: Ned Help

To: Carrie Counselor

Subject:  Lost laptop containing European customer information

Carrie,

A couple of weeks ago, you wrote me about an employee who will be engaging in a six-month temporary assignment around Europe to scope market opportunities. The employee was Abbie Absent-Minded.  Well, we hit a snag pretty quickly.  Abbie just e-mailed me to say that she left her laptop on a train in London last evening and it hasn’t turned up yet in the train company’s lost-and-found.  It was a brand-new laptop that we had given her for her European assignment, so fortunately it didn’t have a lot on it.  Abbie said that the laptop had contact information for her various marketing prospects, plus some sample customer data that she was given by one of her prospects to use in a demo of our web-based advertising product.  She thinks that the customer data included around 200 records with the customer’s name, age, gender, e-mail address and the history of purchases that the customer made from our prospective client’s retail stores.

I assume that we should tell our prospective client that the laptop with their customer data was lost.  What else do we need to think about?

Thanks,

Ned


 

Continue Reading Innocents Abroad: Lost laptop with customer data

In a decision favorable to the airline industry—but not helpful to other companies—the California Court of Appeal said that a privacy enforcement action against Delta is not going to fly.  On May 25, 2016, the Court of Appeal tossed the California Attorney General’s CalOPPA enforcement action against Delta Airlines, affirming the lower court’s 2013 dismissal of the case with prejudice.

As we previously wrote, California AG’s office has been taking incremental steps toward ensuring that mobile applications comply with CalOPPA.  As early as 2012, its office began sending notices of non-compliance to mobile application developers.  When some companies failed to respond, the Attorney General chose Delta as its pilot case, promptly filing its first-ever enforcement action under CalOPPA.  Over the past three years, we have followed the Attorney General’s CalOPPA compliance campaign, including the Delta case.   Continue Reading Delta Wins CalOPPA Case – But Your Mobile App May Not Fly

Mintz Levin’s Immigration Law Blog is running a series titled “Innocents Abroad” addressing issues in an increasingly globalized economy where employers assign employees all over the globe.

These are big questions, reflecting some of the practical concerns in our international marketplace.  The series focuses on the well-intentioned Global HR Director, Ned Help, who will raise hot topics and difficulties his company faces when sending their employees abroad.  We will then explore the common pitfalls and offer practical solutions to the difficulties Ned Help faces.   This month’s edition:   Privacy Considerations – follow the rest of the series at Innocents Abroad.


 

From:            Carrie Counselor

To:                  Ned Help

Date:              May 24, 2016

RE:     Privacy considerations for employees working abroad

Dear Ned,

I understand that one of your employees will be engaging a six-month temporary assignment around Europe to scope market opportunities, and you’d like to have a better understanding of what to be thinking about in terms of privacy.  Great question!  This is an area where many employers struggle because other jurisdictions protect privacy and personal data quite differently than we do here in the United States.

Generally speaking, federal and state laws applicable to employee information do not have “extraterritorial” effect beyond the information that remains in the United States, meaning that American employees working abroad (even temporarily) will not benefit from US legal protections with respect to personal information collected, stored or transmitted outside of the country.

What makes this area of the law particularly crucial and daunting for employers is that non-US countries frequently offer greater protections to employees and establish far higher compliance obligations on the part of employers.  Of particular concern for you should be the data protection landscape across the European Economic Area (referred to as the “EEA,” encompassing all European Union (EU) Member States as well as Iceland, Liechtenstein and Norway) because each country has passed its own set of national laws governing the collection, use, retention and transmission of personal data. Companies must consider these local laws before electronically monitoring an employee outside the United States or transferring an employee’s personal information back home.  Let’s talk specifics: Continue Reading Innocents Abroad: Privacy Considerations for Employers

Court holds that plaintiff must allege a concrete injury to have standing to sue for a statutory violation; remands for further proceedings

In its just-issued decision in Spokeo, Inc. v. Robins, No. 13-1339, slip op. (May 16, 2016), the Supreme Court has held that a plaintiff bringing suit under a federal statute must allege the existence of a concrete injury in order to have Article III standing to bring that statutory claim.

This ruling disturbs assumptions that animate federal minimum damages statutory class actions. The conventional wisdom has been that if a defendant violates a statute, plaintiff cashes a check. For years, plaintiffs’ class action lawyers have argued that it’s just that simple. A cottage industry in class action litigation has grown up around a daunting alphabet soup of federal enactments – such as the TCPA, FCRA , FACTA and RESPA — which prescribe minimum money damage awards for statutory violations. Statutory awards ranging from $100 to $1,500 per violation for actions such as failing to truncate credit card numbers on transaction receipts (FACTA) or sending unsolicited texts (TCPA) can add up to astronomic exposure when aggregated over classes of tens of thousands of individuals.

Continue Reading Supreme Court Decision in Spokeo Breathes Life Into Standing Defenses

The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers as well as all other entities that store, process, or transmit cardholder data and/or sensitive authentication data. PCI DSS is administered by the PCI SSC, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

The newly published version, PCI DSS version 3.2 (PCI DSS 3.2), contains the following three types of changes:   Continue Reading PCI DSS 3.2: It’s here, what does it mean for you?