Privacy and data security is constantly evolving and 2018 presented no exception. Let’s take a look back at some of the highlights of this year.
Cambridge Analytica (March 2018): Facebook announced that Cambridge Analytica and its parent company, SCL Group, had misappropriated data from 87 million Facebook users, mostly located in the United States. Congressional hearings followed, Facebook updated its privacy features and Cambridge Analytica filed for bankruptcy. What’s this mean? U.S. Senate Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security hearings regarding the ‘Oversight of the Federal Trade Commission’ examined the FTC’s resources and powers to enforce action against privacy violations. FTC Commissioners support the position that a federal privacy rule is needed, but various positions remain as to whether such rule should preempt state laws.
NIST Cybersecurity Framework Version 5 (April 16, 2018): The National Institute of Standards and Technology updated its Cybersecurity Framework, which includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure. (Note: NIST also announced a privacy framework initiative as a complement to the Framework on September 4, 2018.) What’s this mean? Organizations can now use the Framework to understand and assess their cyber risk, including those associated with the supply chain and purchasing commercial off-the-shelf products and services.
South Carolina Insurance Data Security Act (May 3, 2018): South Carolina adopted the National Association of Insurance Commissioners Insurance Data Security Model Law, the first state to do so. The Act will go into effect on January 1, 2019 and requires full compliance by July 1, 2020. What’s this mean? Other states are hot on South Carolina’s heels, leaving the door open as to how uniformly the model law will be implemented among the states.
General Data Protection Regulation (May 25, 2018): The European Union’s overhaul of its privacy framework took effect and companies flooded email inboxes all over the world with privacy updates on how each is protecting personal data. (Note: the European Data Protection Board published its long-awaited draft guidelines for extraterritorial application of GDPR on November 23, 2018.) What’s this mean? GDPR covers the usual suspects of protected information, but now also includes web-based data, such as user location, IP address, cookies and RFID tags. Businesses, including those in the United States who deal with EU resident information, must comply with the rigorous standards of this regulation or be prepared to pay hefty fines.
Alabama Breach Notification Law (June 1, 2018): Last but not least, Alabama enacted a data breach notification statute, becoming the 50th state to do so. What’s this mean? Now that all states are on board in some shape and form as to breach notification, movement toward a federal data breach law presents a fear as to whether a federal law would interfere with, rather than enhance, the states’ laws.
Lab MD, Inc. v. Federal Trade Commission (June 6, 2018): The Eleventh Circuit vacated the Federal Trade Commission’s order against LabMD because the order mandated a complete overhaul of LabMD’s data security program and did not provide guidance on how to accomplish the required change. What’s this mean? The FTC and defendants alike will be navigating this decision moving forward in enforcement investigations, with the FTC most likely needing to enjoin specific acts or practices rather than relying on broad requirements and well-prepared defendants having an opportunity to steer to a more advantageous resolution.
Carpenter v. United States (June 22, 2018): The Sixth Circuit determined the Fourth Amendment, which protects Americans’ right to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, extends protection to cellphone records documenting a person’s location, but does not apply to other types of cellphone records or surveillance techniques. What’s this mean? The Supreme Court has broadened the interpretation of the Fourth Amendment to accommodate new technological realities, and it’s up to Congress to clarify standards for records requests.
California Consumer Privacy Act (June 28, 2018): The CCPA was signed into law, issuing greater consumer rights as to disclosures from businesses regarding an individual’s personal information and what is being done with it beginning January 1, 2020. CCPA also provides a ‘right to be forgotten’, placing deletion requirements on businesses. What’s this mean? On the heels of GDPR, this is further proof that everyone is taking personal information and consumer rights seriously, and other states are not far behind California.
Hu-manity.co (August 2018): In the wake of Cambridge Analytica, this organization began providing the ability for people around the world to download a blockchain application and exercise a right to legal ownership of their inherent human data as property. What’s this mean? Users of the app will now have title to their digital data, providing more choice if, how and where their data will be used by companies.
EU-U.S. Privacy Shield (October 19, 2018): The Commission for Justice, Consumers and Gender Equality and the Department of Commerce engaged in the second annual review for standards for transatlantic data flows for commercial purposes. What’s this mean? The chastising of the United States from the European Union regarding its privacy protections is not over, and it may further support the need for federal privacy legislation.
All roads appear to be leading to uniformity of privacy regulation in the U.S. landscape. What that road will begin to look like - only 2019 can tell.