Eye On Privacy

Timely Updates and Analysis on Privacy and Cybersecurity Issues

Latest from Eye On Privacy

The Supreme Court’s recent decision in Van Buren addressed the meaning of the term “exceeds authorized access” under the Computer Fraud and Abuse Act (CFAA). The Court held, in a criminal case that alleged that the person used information for an improper purpose, that the law’s definition of this term does not include situations when people have improper motives for obtaining computerized information they are otherwise authorized to access.…
The Department of Labor recently issued cybersecurity guidance to retirement plans. The department’s Employee Benefits Security Administration (EBSA) issued guidance in three areas: (1) hiring and working with vendors and service providers; (2) implementing an internal cybersecurity program for the plan; and (3) online security for plan participants and end-users.…
The Supreme Court recently dealt a potential blow to the FTC’s enforcement tool chest.  In particular, the decision impacts its ability to seek monetary relief under a theory it has used in a wide variety of cases, included privacy and security ones, that monetary relief constitutes a “permanent injunction” on consumers’ behalf. In AMG Capital Management, LLC v. Federal Trade Commission, the Supreme Court held that while the FTC should be able to obtain injunctive relief to stop unfair practices, that power does not extend to seeking monetary relief for injured consumers.…
NYDFS Issues Supply Chain Management Guidance The New York State Department of Financial Services recently issued recommendations to financial institutions in the aftermath of the SolarWinds cyberattack. In that attack, hackers inserted malware into SolarWinds software which was then distributed to SolarWinds’ customers (many of which were financial institutions). After discovery, SolarWinds released a series of hot fixes to address vulnerabilities in their software associated with the attack. Although NYDFS found that most companies responded quickly to patch the vulnerabilities, it did identify additional steps to reduce supply chain risk:…
Google recently announced that beginning next year it will require Android mobile apps to provide privacy disclosures. These disclosures will live in a new “safety section” in Google Play. The requirements include disclosing: What information the app collects and how information is used; How the app protects information and if it uses encryption; If information is shared and if users have a choice about sharing; If users can request data deletion; and If the disclosures made in the safety section have been verified by an independent third party.…
China is continuing to move forward with its first comprehensive privacy law. China recently issued a second version of the draft Personal Information Protection Law (Draft PIPL) which will be open for public comments until May 28, 2021. (An earlier version of the law was released at the end of 2020.) The law is anticipated to come into effect sometime in the next one to two years. Current State of Laws China does not currently have a comprehensive data privacy law. There are some rules about data protection and use scattered in existing laws, national standards and governmental guidelines. For…
Providing business teams with advice for sending text messages can be nothing short of frustrating. For businesses used to sending email marketing, the laws for texting are unexpected. Unlike the CAN-SPAM Act, TCPA requires prior express written consent if autodialed messages are sent that contain advertising content. And unlike CAN-SPAM, TCPA has a private right of action. On its face, the recent Supreme Court decision in Facebook, Inc. v. Duguid seemed to bring good news. The decision suggests that companies may be able to send, in several circumstances, automated texts to databases of current customers without running afoul of TCPA.…
The Dutch Data Protection Authority recently imposed a €475,000 fine ($558,000) against the hotel website Booking.com for waiting longer than 72 hours to report a data breach. According to the Dutch DPA press release, Booking.com learned of the breach on January 13, 2019 and reported it to the DPA on February 7, 2019. The DPA did not make it clear in that release whether Booking.com had, in fact, determined on January 13, 2019 that a security breach impacting personal information of Dutch citizens had occurred or whether January 13, 2019 was date that Booking.com was first alerted to suspicious activity.…
As of this week, Apple’s requirements for apps to follow its AppTrackingTransparency are now in effect. These requirements went hand-in-hand with the iOS 14.5 launch, and impacts how an app can track users and access their advertising device IDs. In particular, consumer consent is now required if the app collects consumer information and shares it with others “for purposes of tracking across apps and web sites.” Apple has provided developers with specific implementation steps, which will be reviewed when apps are submitted to Apple for approval. As part of the submission, companies need to explain why they want to…
The FTC recently provided guidance to companies on how to use artificial intelligence with an aim for “truth, fairness and equity.” The FTC reminded companies of three laws it enforces which have lessons for those in the AI space: Section 5 of the FTC Act (which would prohibit unfair algorithms, for example); the Fair Credit Reporting Act (which would prohibit algorithms that might deny housing, as an example); and the Equal Credit Opportunity Act (which would prohibit algorithms that might result in credit discrimination on the basis of race, as an example). These comments come almost a year after the…
Maine and North Dakota recently adopted the National Association of Insurance Commissioners (NAIC) data security model law. They join at least 11 others states who have already adopted the model law.  The model law applies to insurers, insurance agents and other entities licensed by the state department of insurance. As we wrote about in our insurance certifications round-up, among other requirements, the model law requires organizations subject to the law to have: A comprehensive written information security program commensurate with the company’s size and complexity A written incident response plan Employee training Appropriate oversight by the company’s board…
In a notable application of the European Court of Justice’s “Schrems II” decision, the data protection authority for the German state of Bavaria recently held that use by a German entity of US-based MailChimp (which use involved transferring personal information to the US) violated GDPR. As we previously wrote, the Schrems II decision turned on concerns around lack of sufficient safeguards under US law. The court cautioned, and the EDPB has since clarified further, that for standard contractual clauses to be used companies must determine whether the information will have the same level of protection under the laws…
Utah recently amended its breach notice law to provide certain defenses to companies who suffer a data breach.  It is now the second state, after Ohio, to include such provisions. Specifically, entities that create and reasonably comply with a written cybersecurity program may have an affirmative defense to litigation resulting after a data breach. For the safe harbor to apply, the written cybersecurity program must:…
Artificial intelligence continues to remain a focus in 2021, as we predicted at the start of the year. From the FTC, to the EU, to others, regulators of all kinds are paying attention to companies’ use of these tools. In the latest, five US federal agencies are seeking input on how financial institutions are using AI tools. Comments from stakeholders are due by June 1, 2021.…