Just two days after the Federal Trade Commission (“FTC”) announced a historic settlement of privacy and security claims against Equifax, the FTC today announced that Facebook has agreed to pay $5 billion in civil fines,...more
7/25/2019
/ Cambridge Analytica ,
Consent Order ,
Corporate Structures ,
Data Management ,
Data Privacy ,
Data Protection ,
Facebook ,
Federal Trade Commission (FTC) ,
FTC Act ,
Online Advertisements ,
Personal Data ,
Settlement Agreements ,
Social Media ,
Unfair or Deceptive Trade Practices
Equifax has agreed to pay $575 million to settle consumer as well as state and federal regulatory claims for its 2017 data breach. This is the largest data breach settlement to date. ...more
7/23/2019
/ Consumer Financial Protection Bureau (CFPB) ,
Credit Monitoring ,
Credit Reporting Agencies ,
Cyber Attacks ,
Data Breach ,
Enforcement Actions ,
Equifax ,
Federal Trade Commission (FTC) ,
Financial Services Industry ,
Hackers ,
Identity Theft ,
Personal Data ,
Personally Identifiable Information ,
Popular ,
Qualified Settlement Funds ,
Settlement Agreements ,
Vulnerability Assessments
New York’s proposed data privacy law failed to materialize in the latest legislative session and is now presumed dead. New York was one of a number of states that proposed sweeping privacy legislation after the enactment of...more
7/19/2019
/ Consumer Privacy Rights ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Data Rights ,
Duty of Care ,
Duty of Loyalty ,
Legislative Agendas ,
Personal Data ,
Personally Identifiable Information ,
State and Local Government
Last Friday we blogged on the Saks data breach class action, and in the process mentioned a trend among federal courts to reject fear of future identity theft claims in retail breach cases. ...more
6/3/2019
/ Article III ,
Cause of Action Accrual ,
Class Action ,
Consumer Fraud ,
Corporate Counsel ,
Cyber Attacks ,
Cybersecurity ,
Damages ,
Data Breach ,
Hackers ,
Identity Theft ,
Injury-in-Fact ,
Personally Identifiable Information ,
Popular ,
Retail Market ,
Standing
For years, plaintiffs in data breach class actions have argued that the threshold for Article III standing is low – and increasingly courts are accepting that argument....more
5/31/2019
/ Article III ,
Barnes and Noble ,
Chipotle Grill ,
Class Action ,
Class Representatives ,
Corporate Counsel ,
Data Breach ,
Injury-in-Fact ,
Personally Identifiable Information ,
Retailers ,
Saks ,
Standing ,
Wendy's
In April 2019, the California Assembly Privacy and Consumer Protection Committee rejected a proposal known commonly as the “Privacy for All Act” (AB-1760), which among other things would have provided a private right of...more
Following the speedy enactment of the California Consumer Privacy Act (CCPA or Act) in June 2018, business and consumer advocates alike have been pressuring California lawmakers to clarify the many ambiguities raised by the...more
5/16/2019
/ California Consumer Privacy Act (CCPA) ,
Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Collection ,
Data Privacy ,
Data Protection ,
Exemptions ,
Information Sharing ,
Personal Data ,
Personally Identifiable Information ,
Privacy Laws ,
Proposed Amendments ,
Regulatory Agenda ,
Rulemaking Process ,
State and Local Government
Utah Governor Gary Herbert is expected to sign a new privacy law in the coming weeks that will make his state the first to protect private electronic data stored with third-party providers from government access without a...more
3/28/2019
/ Cloud Computing ,
Data Management ,
Electronically Stored Information ,
Government Investigations ,
Legislative Agendas ,
Pending Legislation ,
Privacy Laws ,
Search Engines ,
Search Warrant ,
Social Media ,
State and Local Government ,
Wireless Technology
On March 20, 2019, the Supreme Court refused to address the adequacy of a $8.5 million Google privacy class action settlement and instead remanded to a lower court to determine whether the class action plaintiffs had standing...more
3/21/2019
/ Class Action ,
Cy Pres Funds ,
Frank v Gaos ,
FRCP 23(e) ,
Google ,
Remand ,
SCOTUS ,
Settlement ,
Spokeo v Robins ,
Standing ,
Stored Communications Act ,
Vacated
The FTC has proposed amendments to its 2003 Safeguards Rule and 2000 Privacy Rule, applicable to financial institutions under the Gramm Leach Bliley Act (GLBA). The proposed changes are informed by the FTC’s enforcement...more
Following numerous privacy complaints, the State Office for Data Protection Supervision (BayLDA) recently conducted a random audit on 40 companies and found widespread problems with their cookie disclosures....more
3/8/2019
/ Cookie Banners ,
Cookies ,
Cybersecurity ,
Data Protection ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Regulatory Violations ,
Transparency ,
Vulnerability Assessments
The FTC has proposed amendments to its 2003 Safeguards Rule and the 2000 Privacy Rule, applicable to financial institutions under the Gramm Leach Bliley Act (GLBA). ...more
3/8/2019
/ Banking Sector ,
Cyber Crimes ,
Cybersecurity ,
Data Breach ,
Data Security ,
Federal Trade Commission (FTC) ,
Financial Institutions ,
Gramm-Leach-Blilely Act ,
Personally Identifiable Information ,
Privacy Rule ,
Proposed Amendments ,
Rulemaking Process ,
Safeguards Rule
As tax season winds on, the W-2 form scam has emerged as one of the most dangerous and common phishing email schemes during this time of year....more
3/7/2019
/ Cyber Crimes ,
Identity Theft ,
Income Taxes ,
IRS ,
Payroll Records ,
Personally Identifiable Information ,
Phishing Scams ,
Social Security Numbers ,
Tax Fraud ,
Tax Planning ,
Tax Returns ,
W-2
The Equifax and Facebook-Cambridge Analytica scandals, coupled with the proliferation of state privacy and security laws such as the California Consumer Privacy Act (CCPA)—as well as proposed laws in Washington and...more
The Illinois Supreme Court held on January 25, 2019, that plaintiffs filing suit under the Biometric Information Privacy Act—which regulates how private entities disclose and discard biometric identifiers—do not need actual...more
1/30/2019
/ Amusement Parks ,
Article III ,
Biometric Information ,
Biometric Information Privacy Act ,
Class Action ,
Data Collection ,
Data Privacy ,
Fingerprints ,
IL Supreme Court ,
Injury-in-Fact ,
Liquidated Damages ,
Personal Data ,
Personally Identifiable Information ,
Standing ,
Statutory Violations
The Illinois Supreme Court held on January 25, 2019, that plaintiffs filing suit under the Biometric Information Privacy Act—which regulates how private entities disclose and discard biometric identifiers—do not need actual...more
1/29/2019
/ Amusement Parks ,
Article III ,
Biometric Information ,
Biometric Information Privacy Act ,
Data Collection ,
Data Privacy ,
Facial Recognition Technology ,
Fingerprints ,
IL Supreme Court ,
Injury-in-Fact ,
Liquidated Damages ,
Personal Data ,
Personally Identifiable Information ,
Standing ,
Statutory Violations
Since the General Data Protection Regulation (“GDPR”) took effect on May 25, 2018, US companies without facilities or employees in Europe have struggled to understand the extraterritorial scope of the GDPR....more
12/3/2018
/ Corporate Counsel ,
Cybersecurity ,
Data Breach ,
Data Processors ,
Data Protection ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
Extraterritoriality Rules ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Risk Management
The Pennsylvania Supreme Court has drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard its employees' personal information stored on...more
11/28/2018
/ Corporate Counsel ,
Cybersecurity ,
Data Breach ,
Data Collection ,
Data Security ,
Economic Loss Doctrine ,
Employer Liability Issues ,
Employment Litigation ,
Identity Theft ,
Negligence ,
PA Supreme Court ,
Personal Data ,
Personally Identifiable Information ,
Popular ,
Reasonable Care
On April 18, 2018, the Government of Canada published the final regulations relating to mandatory reporting of privacy breaches under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). ...more
9/14/2018
/ Cybersecurity ,
Data Breach ,
Data Protection ,
Data Security ,
Hackers ,
Notification Requirements ,
Personally Identifiable Information ,
PIPEDA ,
Popular ,
Recordkeeping Requirements ,
Regulatory Oversight ,
Regulatory Requirements
A new bill introduced by House Financial Services subcommittee Chairman Rep. Blaine Luetkemeyer would significantly change data security and breach notification standards for the financial services and insurance industries. ...more
9/11/2018
/ Banking Sector ,
Cybersecurity ,
Cybersecurity Framework ,
Data Protection ,
Data Security ,
Federal Breach Notification Standard ,
Financial Institutions ,
Financial Services Industry ,
Gramm-Leach-Blilely Act ,
Information Technology ,
Insurance Industry ,
Legislative Agendas ,
Personally Identifiable Information ,
Policies and Procedures ,
Popular ,
Preemption ,
Proposed Legislation ,
Risk Management
As discussed in our prior post, the California Consumer Privacy Act of 2018 (the “Act”) is expected to be modified by the California legislature prior to its January 1, 2020, enforcement deadline. ...more
8/22/2018
/ Consumer Privacy Rights ,
Corporate Counsel ,
Cybersecurity ,
Data Breach ,
Data Privacy ,
Data Protection ,
Legislative Agendas ,
Personally Identifiable Information ,
Private Right of Action ,
Proposed Legislation ,
State and Local Government
One of the most bedeviling aspects of data privacy and security law concerns the concept of “reasonable” data security, which has become the default statutory and common law standard. The FTC began articulating a...more
Just as many US businesses were scrambling to meet GDPR compliance, California quickly passed a broad new privacy act, giving businesses another privacy compliance headache. We’ve previously blogged on the dramatic history...more
We’ve previously blogged about the creative efforts of plaintiffs’ counsel to expand the contours of data breach litigation. ...more
7/13/2018
/ Article III ,
Automotive Industry ,
Chrysler ,
Class Action ,
Class Certification ,
Connected Cars ,
Data Breach ,
Data Security ,
Design Defects ,
Fiat ,
Hackers ,
Internet of Things ,
Motor Vehicles ,
Network Security ,
Standing
Today the EU General Data Protection Regulation (GDPR) goes into effect, ending the data protection landscape as we know it. This comprehensive privacy law applies directly to the 28 EU countries and companies established in...more
5/25/2018
/ Cybersecurity ,
Data Processors ,
Data Protection ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Personally Identifiable Information ,
Regulatory Oversight ,
Regulatory Requirements ,
Risk Management