Privacy & Data Security Feed

New York SHIELD Act Expands Data Security and Breach Notification Requirements

By: Kara K. Trowell

ShieldOn July 25, 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which significantly amended the state’s data breach notification law to impose additional data security and data breach notification requirements on covered entities.

Expanded Definitions.

Under the new law, the definitions of “private information” and “breach of the security system” have been revised in ways that broaden the circumstances that qualify as a data “breach” and could trigger the notification requirements.  First, private information has been expanded to include:

  • (a) financial account numbers that can be used alone to access a financial account;
  • (b) biometric data used to authenticate an individual’s identity;
  • (c) standalone data such as a user name or email address in combination with a password or security question and answer that would permit access to an online account; and
  • (d) unsecured protected health information covered under HIPAA.

These changes effectively expand the types of situations covered by the law that could result in a breach of system security and trigger the notification requirements.

Second, the circumstances that qualify as a “breach” have been expanded to now include incidents that involve “access” to private information, regardless of whether they resulted in “acquisition” of that information.

Continue reading "New York SHIELD Act Expands Data Security and Breach Notification Requirements" »


FinCen Issues Report on Business Email Scams

Saunders_David_COLOR

By: David P. Saunders




Data securityAt the risk of stating the obvious, everyone uses email. It has become a central component of both our daily lives and, of course our businesses.  As we transform into a fully digital,
corporate world, there are those who have sought to exploit the growing reliance on email.  Spammers, hackers, and of course, phishers.  No, not the people who go to those really long concerts; we are talking about email scammers who purport to tell you that your UPS package has arrived, but all you need to do is click a link and enter some information.  These scams can cripple a business, and trying to prevent these scams is difficult because in many ways, the solution relies on removing human error.

Enter the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Treasury Department that collects and analyzes information about financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes.  FinCEN recently held a forum aimed at discussing ways to identify and curtail business email scammers.  The forum, held in New York City, analyzed the trends in business email scams.  At the forum, FinCEN released a report indicating that reporting of business email scams had more than doubled between 2016 and 2018.  The report also detailed that fake invoice scams grew as a methodology, and that manufacturing and construction businesses were top targets.

Continue reading "FinCen Issues Report on Business Email Scams" »


HUD Brings Housing Discrimination Charge Against Facebook

By Emily A. Bruemmer

HousingOn March 28, 2019, the US Department of Housing and Urban Development (HUD) filed a Charge of Discrimination against Facebook, alleging that Facebook violated the Fair Housing Act “by encouraging, enabling, and causing housing discrimination through the company’s advertising platform.”  This is an administrative action filed by the Secretary of HUD, on behalf of complainant Assistant Secretary for Fair Housing and Equal Opportunity, before the Office of Administrative Law Judges at HUD.  Unless any of the parties chooses to have the case heard in federal district court, an administrative law judge will hear the charge and may award damages, in addition to injunctive or other equitable relief, attorney fees, and fines.  HUD previously announced a formal complaint, initiated by the Secretary of HUD, against Facebook in August 2018.  The formal complaint was the first step in a process that then moved to a fact-finding investigation.  Last month’s charge indicates that the investigation resulted in a determination that there was reasonable cause to believe that Facebook violated the Fair Housing Act.

Continue reading "HUD Brings Housing Discrimination Charge Against Facebook" »


Facebook Announces Potential $5 Billion FTC Fine

By Emily A. Bruemmer

Facebook-privacyOn April 24, 2019, Facebook announced in its Q1 earnings release that it had set aside $3 billion and estimates that it may pay up to $5 billion in a fine related to the FTC’s ongoing inquiry into its “platform and user data practices.” Facebook entered into a settlement with the FTC related to its privacy practices in 2011, which has reportedly been re-opened. This would be the largest fine ever imposed by the FTC on a technology company. The possibility of a “multi-billion dollar fine” was first reported this February by The Washington Post.


Facebook Announces New Privacy Initiative

By Emily A. Bruemmer

Smartphone computerOn March 6, 2019, Facebook CEO Mark Zuckerberg announced via an interview and a Facebook blog post a planned shift to “building a privacy-focused messaging and social networking platform.”  Characterizing this shift as a “privacy-focused vision,” Zuckerberg said that this change in focus meant that Facebook and Instagram would not only function as “the digital equivalent of a town square” but also “the digital equivalent of the living room.”  This shift was billed in part as a response to user demand: according to the post, the “fastest growing areas of online communication” were private messaging, “ephemeral stories,” and small group communication. 

According to the blog post, Facebook’s “privacy-focused platform” will be based on six principles: private interactions, encryption, reducing permanence, safety, interoperability, and secure data storage.  “Interoperability” refers to Facebook’s plan to integrate its messaging services across Facebook Messenger, WhatsApp, and Instagram Direct.  The blog post did not provide much detail on what these principles would mean in practice or what changes users would see from an experiential perspective, but rather qualified its efforts as being in the “early stages.”  

Continue reading "Facebook Announces New Privacy Initiative " »


Proof of Classwide Injury & Damages Found Possible in Target Data Breach Litigation

By Reena R. Bajowala

WHt Binary_iStock_000004319108Large
The fallout from the late 2013 data security breach involving the Target Corporation is not over yet.  After Target announced that financial information of more than 40 million consumers could be at risk, a flurry of lawsuits were filed by consumers and financial institutions.  The consumer suits settled.  The financial institution suits live on (for now) in In re Target Corp. Customer Data Security Breach Litigation, No. 14-2522 (D. Minn. Sept. 15, 2015), where a class of financial institutions who issued credit cards to Target consumers alleged that they were injured by Target’s failure to prevent hackers from accessing customer data in the form of replacing cards and reimbursing fraud losses. 

Plaintiffs sought Rule 23(b)(3) class certification.  Target opposed, arguing that the injuries are “risk of future harm” that financial information might in the future be used, so cannot be established with classwide proof.  The court noted that the banks already reissued cards and that some have already incurred losses from payments.  Target countered that there was no requirement that the plaintiffs reissue cards, so the voluntary act cannot be used by the plaintiffs to establish their own injuries.  The court rejected the argument, holding that “[w]hether a specific action was legally mandated is not required to establish injury or causation.”  The court commented that the “absurdity of this suggestion is evident from the fact that Target itself reissued all of its RedCards . . . in the weeks after the breach.” 

Continue reading "Proof of Classwide Injury & Damages Found Possible in Target Data Breach Litigation" »


Data Transfer From The EU Just Got More Complicated

By Mary Ellen Callahan

Chip_iStock_000005613425Large
On October 6, 2015, the Court of Justice of the European Union (CJEU) decided to agree in large part with the Advocate General’s recommendation in the matter Schrems v. Facebook (Ireland), and invalidated the U.S./EU Safe Harbor mechanism for transferring data.  Safe Harbor was first established in 2000 as an additional mechanism to transfer personal data from the EU to the U.S., provided that companies publicly agreed to Safe Harbor privacy principles (“Commission decision 2000/520).  The enforcement for Safe Harbor non-compliance was set with the Federal Trade Commission; the FTC could also accept complaints from EU Data Protection Authorities (DPA). 

In Schrems, the Irish DPA determined that he did not have the authority to review whether the Commission’s Safe Harbor decision was valid.  The Irish High Court concurred, and therefore the CJEU took the case.

The CJEU takes the findings of the (non-binding) Advocate General recommendation in whole, including that the U.S. legal system has “systemic failures” in data protection because of national security programs revealed in June 2013 after a series of unauthorized disclosures of PRISM and other national security programs.  However, the Advocate General’s opinion does not accurately describe PRISM and other national security programs as they operated in 2013, and despite indicating that his decision must take into account the regime as currently in operation, the Advocate General’s sweeping generalities are not accurate.  (see, e.g., analysis of Advocate General recommendations by Peter Swire, member of the independent Review Group on Intelligence and Communications Technology, created by President Obama in 2013). 

Continue reading "Data Transfer From The EU Just Got More Complicated " »


The More Things Change... More Amendments to State Breach Notification Laws

By Mary Ellen Callahan and Heidi Wachs

IStock_000002108956LargeThis year has seen a spate of updates to state data breach notification laws. The most recent state to join the trend is Connecticut, whose new legislation was signed into law by Governor Daniel Malloy on July 1, 2015 and went into effect on October 1, 2015. The updated law adds biometric data to the definition of personal information and sets a 90-day deadline for companies to report data breaches to affected residents as well as the state Attorney General. The amendments also require companies to provide victims with one year of identity theft protection, making Connecticut the first state in the country to require identity theft protection. California enacted a similar law this January, requiring a full year of protection if a business elects to offer credit monitoring.

Montana, Nevada, North Dakota, Washington, and Wyoming also all approved updates to their laws earlier this year. Common updates across these new pieces of legislation include expanded definitions of personal information, incorporating additional data elements beyond the historically included first name or first initial and last name in combination with social security number, drivers license number, or “account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account,” and required notification to the state attorney general.

Continue reading "The More Things Change... More Amendments to State Breach Notification Laws " »