SCOTUS: Accessing Private Database for Improper Purpose Not Violation of Computer Fraud and Abuse Act.
In a recent Supreme Court case, Van Buren v. United States, the Court narrowed the applicability of the Computer Fraud and Abuse Act. (CFAA). The Court determined that a police officer with permission to access a law enforcement database did not violate the statute when he obtained information from that database for an improper purpose, namely accepting $6,000 to look up whether someone was an undercover police officer. Rejecting the DOJ's argument that the 1984 statute's scope is "clear," the high court agreed that the CFAA's language allows prosecutors and private entities to pursue claims based on minor activities.
$500K SEC Settlement Reached Over Disclosure Failures
The SEC has reached a roughly $500,000 settlement with a real estate settlement company regarding a cybersecurity defect that exposed personal financial information on over 800 million mortgage title insurance records. The SEC faulted the company for lacking disclosure protocols that should have alerted senior management to the problem and for ineffectively communicating the failure to senior management once aware. As part of the settlement, "the company consented to the entry of an order finding a violation of Rule 13a-15 of the Securities Exchange Act of 1934, which requires issuers of registered securities to maintain effective disclosure controls."
Attorneys, Be Specific and Communicative About Who Your Clients Are – Loss of Attorney-Client Privilege
Ex-Theranos CEO Elizabeth Holmes' recently lost her attorney-client privilege in a pretrial dispute over her communications with her attorney. Some are flagging this as "a cautionary tale" to corporate attorneys. Holmes argued in her briefs that the law firm began jointly representing her and Theranos in a 2011 intellectual property dispute. She said that over time their relationship "grew organically," with the law firm jointly advising Holmes and the company on a variety of topics through 2016, including in Holmes’ personal interactions with media. However, a U.S. Magistrate Judge ruled that Holmes had not shown that she made it clear to her attorneys that she was seeking legal advice in her personal capacity and not just as a company executive, thereby rendering the communications subject only to corporate privilege.
Ensure Consumers’ Private Information is Properly Secured - FTC and MoviePass Reach Settlement Regarding Data Security Failure
Be Meticulous with Biometric Data Collection - Recent Pricy BIPA Lawsuits
Six Flags has agreed to pay $36 million to end a class action lawsuit accusing it of collecting customers’ biometric fingerprint data in violation of Illinois’ biometric privacy law. Meanwhile, a proposed $5 million class action accusing McDonald's of violating Illinois' Biometric Information Privacy Act by storing customers' voiceprints without their permission has been filed in federal court. Both instances serve as good reminders to avoid the collection of biometric data unless absolutely necessary.
California Privacy Protection Agency Board's Inaugural Public Meeting
The passage of the California Privacy Rights Act (CPRA) established a new enforcement agency, the California Privacy Protection Agency (CPPA), which is the first agency in the country solely dedicated to privacy. The CPPA will implement and enforce the law, and has several responsibilities including rulemaking. The five-member board met for its inaugural meeting on June 14, 2021. While the majority of the meeting covered administrative procedures and requirements for setting up a new agency, there were some helpful clarifications on timing. Draft regulations will be submitted by mid-May 2022 at the very latest to meet the July 2022 deadline for the CPRA regulations. Additionally, the CPPA is focused on quickly hiring an Executive Director and Chief Deputy Director of Administration. Candidates for the positions will be considered in a public meeting. The meeting materials for the inaugural meeting are available here.
New Nevada Internet Privacy Bill Signed by Governor
There is a new data broker law in Nevada, making it the third state to have a law addressing data brokers (in addition to California and Vermont). The text of the bill is here and bill history can be found here. The bill is set to take effect October 1, 2021. In particular, the bill provides for, among other things:
- prohibitions on data brokers from making any sale of certain information collected about a consumer if so directed by the consumer;
- requirements for data brokers to establish a designated request address through which a consumer may submit a verified request to direct a data broker not to make any sale of any covered information about the consumer that the data broker has purchased or will purchase;
- requirements for data brokers to respond to such requests within 60 days of receipt;
- the possibility for a data broker who has not previously failed to comply with these provisions to remedy any failure to comply within 30 days after being informed of such a failure; and powers for the Attorney General to institute legal proceedings against a data broker believed have directly or indirectly violated the provisions of the bill.
Bose Added to List of High-Profile Companies Who Have Suffered Ransomware Attack
Bose discovered that using access to HR systems, attackers accessed current and former Bose employees’ personal data – specifically names, social security numbers, compensation information, and other HR-related information. In addition to providing free identity protection services to the affected individuals for 12 months, Bose implemented new and additional security measures to defend its systems and lessen the risk of future infiltration, including among others: (i) enhanced malware/ransomware protection on endpoints and servers; (ii) enhanced monitoring and logging to identify any future actions by the threat actor or similar types of attacks; and (iii) changing passwords for all end-users and privileged users. Similar efforts are required or soon will be by the scores of data protection statutes in force now or being debated in states and in the federal government, many of which grant rights to employees to seek relief should their data be exfiltrated from their employer.
CCPA Record-Keeping Obligations – Disclosures due July 1, 2021
Businesses that handle the personal information of 10,000,000 or more Californians are subject to additional record-keeping requirements under the CCPA Regulations. Per Section 999.317, subd. (g), businesses must disclose the following by July 1, 2021:
- The number of requests to know that the business received, complied with in whole or in part, and denied;
- The number of requests to delete that the business received, complied with in whole or in part, and denied;
- The number of requests to opt-out that the business received, complied within whole or in part, and denied; and
- The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.
Augmented Reality Makeup Tools Serve as Foundation for BIPA Class Actions
New European Commission Standard Contractual Clauses Published
The European Commission published new standard contractual clauses between controllers and processors, which function as an annex that can be attached to commercial agreements. These EC Art. 28 SCCs became effective June 27, 2021. The new controller to processor EC Transfer SCCs incorporate GDPR compliant data processing terms, so when the controller to processor Transfer SCCs are used, EC Art. 28 SCCs (or any other form of additional data processing agreement) are not also required. Notably, the EC Art. 28 SCCs are optional.
Irish Data Protection Commission Publishes DPO Registration Guidelines
The Data Protection Commission ('DPC') recently released guidance on the DPO Register. In particular, the guidelines noted that all organizations that have appointed a data protection officer (DPO) pursuant to Article 37(1) General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) are required to notify the contact details of their DPO to the DPC, which maintains these details in the DPO Register. The guidelines also provided clarification on which organizations are required to appoint a DPO, how an organization should communication their DPO details with the DPC, and whether the DPC will notify organizations once their DPO is on the register.
France: CNIL Addresses Cookie Walls and Monetization of Personal Data
The French data protection authority ('CNIL') issued recent guidance on legal and ethical issues concerning cookie walls and the monetization of personal data. In particular, CNIL outlined that an emerging concept of data property rights, whereby individuals monetize their personal data and allow companies to exploit it in such a way that both companies and individuals can earn income from it, is contrary to the currently applicable law. With respect to cookie walls, CNIL noted that the requirement of free consent cannot justify a general ban on the practice of cookie walls and that the freedom of consent of individuals must be assessed on a case-by-case basis, taking into account the existence of a real and satisfactory alternative offered in the event of the refusal of cookies.
Netherlands Protection Authority Publishes Works Council’s Privacy Booklet for the Workplace
Dutch protection authority (AP) recently published the Works Council privacy booklet to the Social and Economic Council ('SER'). In particular, the AP noted that in support of the Works Council, the guide covers the following topics: (i) the right of consent; (ii) the definitions of personal data and of processing; (iii) important privacy rules from the GDPR and questions to ensure employers' plans are GDPR-proof; and (iv) assessment questions where an employer intends to use a personnel tracking system.
G7 Summit Highlights Importance of Privacy and Data Considerations
Of particular note, the G7 Summit held in June 2021 highlighted calls for the following: (i) championing data free flow with trust; (ii) working to address the escalating shared threat from criminal ransomware networks; (iii) securing supply chains, and (iv) the continued need for respecting freedoms of speech and peoples' reasonable expectation of privacy.
China’s Data Security Law Passed
On June 10, 2021, China's National People’s Congress Standing Committee passed the third iteration of its Data Security Law ("DSL"). The DSL will take effect on September 1, 2021. Notably, this third revision of the DSL implements the following: (i) the concept of "national core data," noting that a "more stringent regulatory system" shall be implemented with respect to this data; (ii) heightened approval requirements and more stringent penalties for data requests by foreign judicial or law enforcement entities; and (iii) that state authorities are bound by the DSL in the same way as private parties. In addition, the final DSL imposes additional confidentiality requirements and considers elderly citizens’ needs in developing and improving “intelligent/smart public services.”