Privacy & Cybersecurity Update - June 2019

Skadden, Arps, Slate, Meagher & Flom LLP

In this month's edition of our Privacy & Cybersecurity Update, we reflect on the GDPR's one-year anniversary while also examining the EU's new Cybersecurity Act. We also take a look at HHS' new guidance on direct liability of business associates, a pair of circuit court decisions involving privacy issues and legislation passed in three states involving protection of personal information.

The GDPR at the One Year Mark: A Work in Progress

Nevada Enacts Right to Opt Out of Sale of Information

Maine Restricts Sale of Personal Information by ISPs

Oregon Expands Data Breach Notice Law

Fourth Circuit Holds That Dish Network is Liable for Violating Telephone Consumer Protection Act

Sixth Circuit Holds Payment Processing Company Liable for Damages Related to Attack on Merchant’s Credit Card System

New Guidance Clarifies Direct Liability of Business Associates Under HIPAA

European Council Approves New EU Cybersecurity Act

The GDPR at the One Year Mark: A Work in Progress

On May 25, 2018, the EU General Data Protection Regulation (GDPR) went into effect, causing uncertainty regarding the volume and nature of enforcement, with many organizations fearing a shift toward more frequent and aggressive fines. However, following its first anniversary, the reality of GDPR is significantly more nuanced.

The first year of GDPR implementation has met mixed reviews. While there have been some clear developments among data protection regimes, the heavily anticipated level of sweeping enforcement activity has yet to materialize. While enforcement has, by many accounts, lagged expectations, entities, whether they be “data controllers” or “data processors,” are taking steps to adapt to the GDPR’s new requirements. Additionally, the European Data Protection Board (EDPB) and national supervisory authorities are putting effort into releasing regular guidance and creating tools to assist companies with compliance in their day-to-day practices.

The GDPR also has played an important role in increasing individual awareness of data protection. The European Commission’s March 2019 Eurobarometer survey of approximately 27,000 European citizens showed that around 67 percent of those surveyed know what the GDPR is. The Eurobarometer survey also reported that 73 percent have heard of at least one of the six rights guaranteed by the GDPR, while 57 percent indicated they know there is a public authority in their country responsible for protecting their data rights (compared to 2015's survey, in which only 37 percent were aware).

Internationally, the GDPR may start to appear as less of an outlier in data enforcement. Brazil has enacted the Brazilian Data Protection Law (which takes effect August 2020), and other countries, including India and China, are considering similar legislation. In the U.S., the California Consumer Privacy Act (CCPA) (which takes effect January 2020) imposes requirements that are similar to those included in the GDPR.

Data Breach Notifications and Enforcement Actions

The GDPR mandates data breach notifications when personal data an entity is responsible for is accidentally or unlawfully disclosed. Since May 25, 2018, there have been 89,271 data breaches logged by European Economic Area (EEA) supervisory authorities. Of those, 63 percent have been closed and 37 percent are ongoing. The Netherlands, Germany and the United Kingdom have reported the highest numbers of breaches, with the U.K. Information Commissioner's Office (ICO) noting that it has logged more than 14,000 data breaches (a marked increase over the roughly 3,300 notifications it received in the preceding year). There have been 144,376 queries and complaints — primarily concerning promotional emails, telemarketing and video surveillance, or CCTV — from individuals in the EU since the GDPR’s implementation, with 41,000 of those coming from the U.K. and 6,000 from Ireland.

Additionally, GDPR enforcement is still evolving. As of May 22, 2019, there were over 280,000 cases pending investigation across 27 EEA countries. The Data Protection Commission (DPC) in Ireland, a country with a large tech hub, is currently investigating 18 “large data breaches, systemic privacy issues and other serious violations at technology firms,” but actions have not yet been taken.

As of February 2019, only 91 fines had been imposed under the GDPR. Total fines have reached €56 million, but the majority of that figure stems from the single €50 million fine levied against Google by the French supervisory authority, Commission Nationale de l'Informatique et des Libertés (CNIL) (Google is currently challenging this action). Prior to its implementation, privacy advocates had expected more accountability and higher levels of enforcement under the GDPR’s comprehensive reforms. That said, the U.K. ICO and the Irish DPC publicly have hinted that enforcement actions under the GDPR will be coming in the next few months, but that cases take time to build.

The enforcement actions taken by EEA Supervisory Authorities thus far span a variety of industries and entities, signaling that GDPR fines and enforcement notices will not be reserved for big tech firms or major breaches, as evidenced below by some of the first enforcement actions at a national level:

  • On May 28, 2019, the Belgian Data Protection Authority fined a Belgian mayor €2,000 for the use of personal data that initially was collected for local administration purposes in an electoral campaign.
  • On July 17, 2018, the first GDPR fine in Portugal was levied against Centro Hospitalar Barreiro Montijo. The Portuguese data protection authority fined the hospital €400,000 for allowing indiscriminate access to personal data, alongside other violations of basic principles of processing, the absence of adequate technical and organizational measures, and inability to ensure continued confidentiality.
  • On April 4, 2019, the Italian Data Protection Authority issued a €50,000 fine against the Rosseau internet platform for a number of privacy security issues related to data controlled by Italian political party Movimento 5 Stelle.
  • As of May 22, 2019, German regional data protection authorities had imposed a total of €449,000 in fines, including in November 2018, in which a €20,000 fine was levied against a chat and dating service for a breach in which hackers stole 300,000 customers’ personal data. The service notified the relevant authority about the breach and an investigation uncovered a lack of appropriate technical safeguards for the protection of data by storing its users’ passwords in unencrypted plain text.
  • On April 4, 2019, the U.K. ICO issued a preliminary enforcement notice against Her Majesty’s Revenue and Customs (HMRC) for the biometric data processed in their Voice ID system. The ICO found that HMRC had given customers insufficient information about the data processing and did not give them a chance to consent. The U.K. ICO’s first enforcement notice under the GDPR was levied in October 24, 2018, against AggregateIQ Data Services Ltd, a Canadian company targeting EEA data subjects, for processing personal data without the data subjects’ knowledge, as well as for undeclared purposes and without a lawful basis. In both cases, the ICO demanded data deletion as a precursor to imposing a fine.

Looking Ahead and Key Takeaways

While 25 EU member states have adopted national legislation for implementing the GDPR, Greece, Slovenia and Portugal have yet to put their domestic laws in place. Organizations also have called for more clarity on specific elements of the law, including details around data breach notifications and subject rights requests.

As simple cases give way to more complex cases, there are more regulatory questions that will require resolution. For example, there are concerns that individuals, such as former employees, may use data subject rights as punitive measures against companies or to obtain pre-litigation disclosure. In addition, as increasing volumes of personal data are processed in cross-border investigations, the eDiscovery process — and other statutorily or treaty-enabled production requirements, such as those contemplated under the U.S. Clarifying Lawful Overseas Use of Data Act, or CLOUD Act — will require the EDPB and supervisory authorities to be clear about the GDPR’s scope, as well as require investigators and companies to be more attentive to the GDPR's requirements.

At the one year mark, there is no doubt that the GDPR has set standards through which legislators and citizens around the world are becoming more aware of their governments’ abilities to protect individual rights.

Nevada Enacts Right to Opt Out of Sale of Information

A new Nevada law requires website operators to offer consumers the ability to request that their personal information not be sold to data brokers.

On May 29, 2019, Nevada enacted Senate Bill 220 (the Nevada Amendment),1 which amends the Nevada Internet Privacy Act to require “operators” to establish a designated email address, toll-free telephone number or website through which consumers can make a verified request that their covered information not be sold. A verified request means the operator has verified the authenticity of the opt-out request and the identity of the consumer “using commercially reasonable means.”

An “operator” is broadly defined as a person who:

  • owns or operates a website or online service for commercial purposes; collects and maintains certain items of personally identifiable information from consumers who reside in Nevada and use or visit the website or online service; and
  • engages in any activity that constitutes a sufficient nexus with Nevada to satisfy constitutional requirements. Such activity includes doing business in Nevada, purposefully directing activities toward Nevada or transacting with the state or a Nevada resident.

Certain entities are exempt from the definition of “operator,” including, among others, financial institutions and entities subject to certain federal privacy laws. These entities include any entity regulated by the Gramm-Leach-Bliley Act or Health Insurance Portability and Accountability Act (HIPAA), any service provider to an operator, and certain manufacturers of a motor vehicle or persons who service motor vehicles who process covered information.

A “sale” for purpose of the Nevada Amendment is “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons,” unless the information is disclosed for purposes consistent with a consumer’s reasonable expectations.

“Covered information” refers to any one or more of the following data points about a consumer collected by an operator through a website or online service: first and last name, street name and name of city or town, email address, telephone number, Social Security number, an identifier permitting a specific person to be contacted, and/or any other information about a consumer collected from that consumer through the website or online service of the operator and maintained in combination with an identifier that makes the information personally identifiable.

Operators must respond to consumers’ requests within 60 days. A 30-day extension is available if “reasonably necessary” and notice has been provided to the consumer. An operator that has received a verified request submitted by a consumer must not make any sale of any covered information the operator has collected or will collect about that consumer.

The attorney general may bring a legal action against an operator who violates the Nevada Amendment and can seek an injunction or civil penalty of up to $5,000 for each violation.

California Consumer Privacy Act

Although some have been quick to compare the Nevada Amendment to a comparable provision in the California Consumer Privacy Act (CCPA), there are some critical differences between the two states' approaches.

First, the Nevada Amendment defines "sale" more narrowly than the CCPA, effectively limiting it to the sale (for monetary consideration) to data brokers. The CCPA includes any type of consideration and the "sale" to any other person, not just data brokers. Consumers also are defined more narrowly in the Nevada Amendment than under the CCPA in that employee and business data is not included, although the definition is broad enough to include what most businesses care about (i.e. , consumers purchasing goods or services). That said, the Nevada Amendment does not carve out smaller businesses the way the CCPA does. In addition, "covered information" is more narrowly defined under the Nevada Amendment, excluding some of the broad areas picked up by the CCPA, such as device identifiers or household information. Finally, in contrast to the CCPA, the Nevada Amendment does not require a business to provide clear and conspicuous notice to consumers of their opt-out right regarding the sale of their information.

Key Takeaways

Overall, the Nevada Amendment is a prime example of the growing reality that, in the absence of federal privacy legislation, companies will be forced to comply with a patchwork of inconsistent state law obligations.

Maine Restricts Sale of Personal Information by ISPs

A new Maine law requires internet service providers (ISPs) in the state to obtain customer consent before using, disclosing or selling their personal information.

On June 30, 2019, Maine enacted An Act to Protect the Privacy of Online Customer Information (the Maine Act)2. The Maine Act, which goes into effect July 1, 2020, will ban, subject to certain exceptions, ISPs in Maine from “using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access.” Instead of providing customers the right to opt out of utilization of their data, the Maine Act restricts ISPs from using customers’ data unless they have affirmative customer consent. It also requires ISPs to provide “clear, conspicuous and nondeceptive” notice of customer rights and ISP obligations. Additionally, the act requires that ISPs take “reasonable measures” to protect customer information from unauthorized use, disclosure or access when implementing security measures.

“Customer personal information” restricted from sale refers to:

  • personally identifiable information about the customer including, but not limited to, the customer’s name, billing information, Social Security number, billing address and demographic data; and
  • information from a customer’s use of broadband internet access service including, but not limited to, the customer’s search history, application usage history, precise geolocation information, financial information, health information, IP address, communications contents and information pertaining to the customer’s children.

A customer may revoke consent to use, disclose, sell or permit access to customer personal information at any time. As well, a provider may not refuse to serve a customer who does not provide such consent, nor may a provider charge a customer a penalty or offer a customer a discount, based on a decision to provide or withhold such consent.

Among other exceptions, the law states that providers may use, disclose, sell or permit access to customer personal information without express, affirmative customer consent to:

  • provide the service from which the information is derived;
  • advertise or market the provider’s communications-related services to the customer;
  • comply with a lawful court order;
  • initiate, render, bill for and collect payment for broadband internet access service;
  • protect users from fraudulent, abusive or unlawful use of or subscription to ISP services; and
  • provide geolocation information concerning the customer in connection with certain enumerated emergency situations.

Key Takeaways

With the enactment of the Maine Act, the state's ISPs now face the strictest consumer privacy protections in the country. More importantly, passage of the legislation represents another "one-off" privacy law that will force companies to either adopt different policies for different states or consider each new privacy law the "floor" for what they need to do nationwide. Many expect the new law to be challenged as violating Federal Communications Commission rules or the interstate commerce clause of the Constitution.

Oregon Expands Data Breach Notice Law

Oregon updated its data breach notification requirements to improve transparency surrounding data breaches and expand the definition of personal information.

On May 24, 2019, Oregon enacted a new law, SB 864,3 which amends the Oregon Consumer Identity Theft Protection Act, effective January 1, 2020, and renames it the Oregon Consumer Protection Act (the act). The act now extends existing data breach notification obligations to a “vendor," defined as a person “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.” A “covered entity” is defined as a person that “owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities,” except with respect to a person who acts solely as a vendor.

A vendor that discovers a security breach or has reason to believe a security breach occurred must (1) notify any contracted covered entities as soon as practicable, but no later than 10 days after discovering (or having reason to believe that) a breach has occurred, and (2) notify the attorney general if a breach or suspected breach involved the personal information of more than 250 consumers or a number of consumers that the vendor could not determine.

The amendment revises the original legislation's definition of “personal information” to include user names or other means of identifying a consumer for purposes of permitting access to the consumer’s online account, together with any other method necessary to authenticate the user name or means of identification.

The act also provides that compliance with security measures under federal data security laws (including HIPAA and the Gramm-Leach-Bliley Act) gives covered entities and vendors in alleged violation of the act an affirmative defense regarding information protected under the act, but not protected under federal laws.

Key Takeaways

Oregon joins a number of states which, in recent years, have strengthened their data breach notification obligations. But, as discussed earlier, the growing number of state legislation continues to make it difficult for entities to adhere to the patchwork of cybersecurity rules and legislation that exist in each state jurisdiction, but not at the federal level.

Fourth Circuit Holds That Dish Network is Liable for Violating Telephone Consumer Protection Act

The U.S. District Court for the Fourth Circuit affirmed a $61 million treble damages award, finding that the National Do Not Call Registry applies to agents, including sales representatives and third-party marketers, under the Telephone Consumer Protection Act (TCPA).

On May 30, 2019, the Fourth Circuit affirmed a district court decision in favor of a certified class, concluding that satellite television company Dish Network (Dish) is liable for the actions of its agent, Satellite Systems Network (SSN), and reaffirmed judgment for approximately 11,000 plaintiffs.4

Unlawful Phone Calls

The named plaintiff, Dr. Thomas Krakauer, alleged that he began to receive telemarketing phone calls in May 2009, asking him to buy services from Dish, at a number he had listed in the Do Not Call Registry. The calls were placed by SSN, acting on behalf of Dish. Krakauer called Dish to complain about the calls, and he was placed on the company's individual Do Not Call list. In 2015, Krakauer sued Dish for the improper calls under the TCPA, seeking redress for himself and all persons who objected to these calls.

TCPA Regulations

The TCPA allows a private right of action for violations of the Do Not Call Registry regulations. By its plain language, the TCPA's private right of action contemplates that a company can be held liable for calls made on its behalf, even if not placed by the company directly. The District Court Finds Liability and Willful Violations

In September 2015, the court certified a class that closely followed the text of the TCPA, allowing Krakauer to bring his claim on behalf of all persons (1) whose numbers were on the National Do Not Call Registry or the individual Do Not Call lists of either Dish or SSN for at least 30 days and (2) received two calls in a single year. The case went to trial, and the jury returned a verdict in favor of Krakauer and the class plaintiffs, finding that the telemarketing practices violated the TCPA and that Dish was liable for the calls placed by SSN. The jury awarded damages of $400 per call. The district court determined that Dish's violations were willful and knowing, and thus trebled the damages award under the TCPA. Dish appealed, challenging the class certification and its own liability for the wrongful calls placed by SSN.

The Fourth Circuit Affirms

The Fourth Circuit affirmed the class certification, ruling that the class was harmed under the TCPA by receiving unwarranted phone calls from SSN, acting as a third-party marketer for Dish. The court rejected all three issues that Dish raised on appeal. First, the court rejected Dish's argument that the members lacked standing because their injury did not rise to "a level that would support a common law cause of action" based on Spokeo, Inc. v. Robins5, which explains "the traditional core of standing" is a personal stake in the case. The court found that receiving unwanted calls on multiple occasions is an intrusion of personal privacy, and therefore, the members had standing.

Second, the court held the class was properly certified as a matter of civil procedure. Under Rule 23 and the remedial purpose of the TCPA, the cause of action allows for "resolution of issues without extensive individual complications." Dish's contention that the class definition was overbroad was rejected, as the court found the TCPA's cause of action for violations of the Do Not Call Registry can be brought by any "consumer," not only "subscribers."

Finally, the court affirmed the jury's conclusion that SSN was acting as Dish's agent at the time it made the improper calls. The evidence supporting an agency relationship was considerable, including suggestive contract provisions, authorization to use Dish's name and logo to carry out business operations, and the Voluntary Compliance Agreement that Dish entered into with 46 state attorneys general, wherein Dish clearly stated its authority over SSN with regard to TCPA compliance. Although Dish contended that its contract with SSN expressly disavowed an agency relationship, the court found that parties cannot avoid legal obligations of agency by contracting out of them. Dish also asserted it should not be responsible for SSN’s actions because it occasionally instructed SSN to follow the law, and, therefore, no reasonable jury could conclude the calls were made within the scope of SSN's authority as Dish's agent. The court found that the jury appropriately resolved this question, concluding that the evidence showed Dish failed to address these concerns in any meaningful way and was profiting from the SSN sales tactics. Accordingly, the court concluded that "this case demonstrates the need to look beyond the contract, as a failure to do so might lead to absolving a company, like Dish, that acquiesced in and benefitted from a wrongful course of conduct that was carried out on its behalf."

Key Takeaways

As the court's decision in Krakauer illustrates, TCPA plaintiffs are not required to show any threshold level of injury to have standing if they are able to prove the statutory elements of a TCPA claim, which could possibly lead to an increase in such claims. The Fourth Circuit's decision also may lead to claims involving instances where third parties were used to conduct telemarketing activities.

Sixth Circuit Holds Payment Processing Company Liable for Damages Related to Attack on Merchant’s Credit Card System

On June 7, 2019, the Sixth Circuit affirmed6 a district court ruling in favor of Spec’s Family Partners, a chain of liquor stores in Texas, finding that First Data Merchant Services, the payment processing company used by Spec’s, must bear the costs stemming from two attacks on the payment card network used by the stores.

Attacks on Payment Card System and Cost-Shifting Chain Reaction

Spec’s Family Partners fell victim to two attacks on its payment card network in which malware was installed to access customer data. An investigation revealed that Spec’s failed to comply with the Payment Card Industry Data Security Standard (PCI DSS) prior to the attacks, which left it vulnerable to breaches in its customers’ data security.

The attacks, and subsequent data theft, triggered a cost-shifting reaction down the credit card chain. The banks that issued the compromised credit cards first reimbursed the defrauded cardholders and replaced their customers’ credit cards. Card brands Visa and Mastercard then issued assessments on the acquiring bank, Citicorp Payment Services Inc., to cover its costs. Third, Citicorp demanded payment from First Data to cover the costs imposed on Citicorp by the credit card companies. Finally, First Data sought reimbursement for those costs from Spec’s.

In order to recoup its costs, First Data withheld the proceeds of routine payment card transactions from Spec’s, placing the proceeds in a reserve account. Spec’s refused to pay First Data and filed suit in an attempt to recover the $6.2 million that First Data withheld.

District Court Grants Summary Judgment

The District Court for the Western District of Tennessee granted summary judgment in favor of Spec’s, holding that First Data materially breached the Merchant Agreement when it diverted funds to reimburse itself for the card brand assessments. Specifically, the court found that such assessments constituted consequential damages that could not be recovered under a limitation of liability clause in the First Data contract. The District Court refused to interpret the assessments as “third-party fees and charges,” for which Spec’s would be liable under the contract.

Sixth Circuit Affirms

The Sixth Circuit reviewed de novo the grant of summary judgment and affirmed the District Court ruling in its entirety. First Data argued on appeal that Spec’s was liable for the assessments under the contract’s indemnification clause and because they constituted “third-party fees and charges” under the agreement.

The Sixth Circuit rejected First Data’s indemnity argument, finding that the assessments passed down to First Data constituted consequential damages because, according to Tennessee law, consequential damages are the natural consequences of the act complained of, but not the necessary results of such conduct. In other words, the assessments constituted consequential damages because the data breaches, reimbursements to cardholders and levying of assessments were the natural results of PCI DSS non-compliance. However, the results were not a necessary consequence of non-compliance in the sense that a non-compliant merchant might never suffer a data breach and the card brands might not issue assessments in the case of PCI DSS non-compliance on its own. The court concluded that because the data breaches and the imposition of assessments did not necessarily follow from the actions of Spec’s, the losses sustained were consequential and Spec’s could not be held liable for such damages under the contract.

First Data also argued that Spec’s was liable under a provision in the contract stating that Spec’s was responsible for all “third-party fees and charges” associated with the use of First Data’s services. By looking to the ordinary and plain meaning of the term, as well as its meaning within the context of the entire agreement, the Sixth Circuit held that the term “third-party fees and charges” did not include or contemplate assessments imposed by credit card companies. The court also noted that the only other federal appeals court to address this exact issue reached the same conclusion that the term excludes assessments following a data breach.7

Finally, the Sixth Circuit affirmed the District Court’s ruling that First Data materially breached the agreement by withholding payments due to Spec’s. The Sixth Circuit found that the PCI DSS non-compliance was an immaterial breach that was cured when Spec’s took steps to achieve full compliance. The court concluded that First Data materially breached the agreement by withholding payments due to Spec’s and thereby deprived Spec’s of the principal expected benefit under the contract.

New Guidance Clarifies Direct Liability of Business Associates Under HIPAA

In late May 2019, the Department of Health and Human Services (HHS) Office for Civil Rights released guidance regarding business associate liability under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH).

In 2013, HHS issued a rule, under the HITECH Act, that made business associates directly liable for certain HIPAA-related violations. However, since its enactment, the scope and reach of the rule has been unclear. On May 24, 2019, the Office of Civil Rights issued a fact sheet to clarify the rule, listing 10 provisions of HIPAA for which business associates can be held directly liable.

The HHS guidance will clarify matters regarding business associates, which include consultants, billing companies and medical record providers, among others. Though HIPAA applies directly to health care providers, plans and clearinghouses, certain vendors qualify as business associates if they handle protected health information (PHI) on behalf of, or in providing services to, a HIPAA-covered entity.

The 10 provisions under which business associates will be held liable are:

  1. Failure to provide the HHS secretary with records and compliance reports; cooperate with complaint investigations and compliance reviews; and permit access by the secretary to information, including PHI, pertinent to determining compliance.
  2. Taking any retaliatory action against any individual for filing a HIPAA complaint; participating in a retaliatory investigation or other enforcement process; or opposing an act or practice that is unlawful under the HIPAA rules.
  3. Failure to comply with the requirements of the HIPAA Security Rule (which includes the risk analysis requirement).
  4. Failure to provide breach notification to a covered entity or another business associate as required by the HIPAA Breach Notification Rule.
  5. Impermissible uses and disclosures of PHI.
  6. Failure to disclose a copy of electronic PHI to either the covered entity, the individual or the individual's designee (whichever is specified in the business associate agreement) to satisfy a covered entity's obligations regarding the form and format, as well as the time and manner, of access.
  7. Failure to make reasonable efforts to limit PHI to the minimum extent necessary to accomplish the intended purpose of the use, disclosure or request.
  8. Failure, in certain circumstances, to provide an accounting of disclosures.
  9. Failure to enter into business associate agreements with subcontractors that create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
  10. Failure to take reasonable steps to address a material breach or violation of the subcontractor's business associate agreement.

Key Takeaways

The new guidance clarifies uncertainty regarding when and how business associates can be held directly liable for HIPAA violations. In addition to liability imposed by the Office for Civil Rights, a business associate should be aware of contractual commitments regarding the handling of PHI imposed by covered entities.

European Council Approves New EU Cybersecurity Act

The newly passed EU Cybersecurity Act intends to combat the increasing risks of cyberattacks as they become more sophisticated and, more frequently, international. The Cybersecurity Act aims to prompt a coordinated and collaborative response across the EU.


On June 7, 2019, the European Council formally approved Regulation (EU) 2019/881 (the Cybersecurity Act), which came into force on June 27, 2019. The Cybersecurity Act enacts two principal measures: (1) strengthens the role of the European Union Agency for Network and Information and Security (ENISA), the EU agency that improves network and information security in the EU and (2) introduces the first EU-wide cybersecurity certification framework. For now, the single certification framework will be voluntary rather than compulsory, with the goal of building a harmonized framework for uniform cybersecurity standards across the EU. The introduction of the Cybersecurity Act will not, therefore, necessarily prompt immediate action, but demonstrates the EU’s cybersecurity focus and gives a framework for manufacturers and service providers of information and communications technology (ICT) products, services and processes to be mindful of.

The Ever-Expanding Role and Powers of ENISA

The Cybersecurity Act strengthens ENISA by granting a permanent mandate and strengthening its human element. ENISA has been a temporary EU agency since its establishment in 2004. While ENISA is not a regulatory authority, it enhances cybersecurity prevention work by advising the European Commission, analyzing data and raising awareness on potential cyber threats. With the Cybersecurity Act, ENISA’s role expands through the supervision and facilitation of information sharing across the EU. ENISA also will now maintain a website providing information on cybersecurity, including the certification framework.

Additionally, ENISA will now assist with designing certification schemes for ICT products and services. At a foundational level, these schemes will ensure that key cybersecurity standards are adhered to by ICT manufacturers and service providers, such as by ensuring an adequate level of protection of personal data against unauthorized storage, processing, destruction, exfiltration, loss or alteration. ENISA also is tasked with reviewing certification schemes every five years to ensure their ongoing compliance with adequate cybersecurity standards.

Certification Framework

The Cybersecurity Act establishes an EU cybersecurity certification framework that aims to assure consumers of the safety of their data, allowing them to trust the cybersecurity of ICT products, services and processes. The framework also provides a uniform certification process in the EU, avoiding multiple, conflicting and overlapping certifications between countries. The ENISA certification schemes will be based on European or international cybersecurity standards, though they will be supervised and implemented by national authorities. EU member states also may establish individual national penalties for infringing the schemes.

It is expected that the first ENISA certification scheme will be published within a year of the Cybersecurity Act’s effective date. The Cybersecurity Act grants the European Commission the power to decide whether to adopt the published ENISA certification schemes. The European Commission also will re-evaluate, by 2023, whether some schemes should be mandatory. As such, it will take time to conclude whether the Cybersecurity Act is successful and whether the certification regime will become an effective, trusted and useful exercise for ICT providers and manufacturers, as well as consumers.

Relationship With Other Data Protection and Cybersecurity Laws

The Cybersecurity Act dovetails closely with other European Union laws addressing data protection and cybersecurity, most notably the GDPR, which requires technical and organizational measures to safeguard the processing of personal data, and the Network and Information Security Directive (NIS Directive), which was the first EU-wide legislation on cybersecurity and addresses potential cybersecurity threats against network and information systems. However, the Cybersecurity Act differs in that its purview extends beyond the NIS directive, which only applies to businesses classified as “operators of essential services” and “digital service providers,” whereas the Cybersecurity Act extends to all manufacturers and service providers of ICT offerings.

Key Takeaways

The Cybersecurity Act’s true impact and efficacy remain to be seen. However, the increased focus on cybersecurity issues could facilitate the successful and widespread adoption of ENISA certification schemes. Cybersecurity has been a high priority for both businesses and the EU in recent years, and the Cybersecurity Act, if nothing else, reinforces the importance of strong cybersecurity standards.


1 The full text of the bill can be read here.

2 The full text of the bill can be read here.

3 The full text of the amendment can be read here.

4 Krakauer v. Dish Network, L.L.C., No. 18-1518 (4th Cir. May 30, 2019).

5 136 S. Ct. 1540 (2016).

6 Spec’s Family Partners, Ltd. v. First Data Merchant Services LLC No. 17-5884/5950, 2019 WL 2407306 (6th Cir. June 7, 2019).

7 Schnuck Markets, Inc. v. First Data Merchant Services, 852 F.3d 732 (8th Cir. 2017)

Download pdf

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Skadden, Arps, Slate, Meagher & Flom LLP | Attorney Advertising

Written by:

Skadden, Arps, Slate, Meagher & Flom LLP

Skadden, Arps, Slate, Meagher & Flom LLP on:

Readers' Choice 2017
Reporters on Deadline

Related Case Law

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.