W-2 Phishing Scammers Are Targeting Tech Companies

The W-2 phishing scams are back. Fraudsters have learned that W-2 phishing scams can be highly effective when targeting businesses while they are handling and sending employee income-tax-related documents early in a new year. Once fraudsters obtain the information on W-2 tax forms about employees from businesses, they quickly attempt to commit tax identity theft by filing fraudulent tax returns to obtain victims’ refunds or to otherwise commit identity theft. Given that the Internal Revenue Service (IRS) is now accepting 2016 tax returns, we are seeing an increase in these W-2 phishing emails. Smaller and younger businesses, such as tech start-ups, can be particularly attractive to fraudsters since they are less likely to have formal policies and procedures in place for handling employee information.

Click here to read our complete WSGR Alert discussing the recent phishing scams.

EU Commission Publishes Proposal for e-Privacy Regulation: The Top Nine Key Points You Need to Know

ThinkstockPhotos-479430151-webOn January 10, 2017, the European Commission published a Proposal for a Regulation (Proposal) that, if adopted, would have significant and far-reaching implications for Internet-based services and technologies.

The Proposal seeks to revise the current EU ePrivacy Directive. It creates strict new rules regarding confidentiality of electronic communications, including content and metadata. In addition, the Proposal amends the current rules on the use of cookies and similar technologies, and direct marketing. The rules apply to EU and non-EU companies providing services in the EU, and are backed up by massive enforcement powers—fines of up to four percent of a company’s global turnover.

The Proposal is the next major step in the EU’s review of its data protection legal framework and follows the adoption of the General Data Protection Regulation (GDPR) in April 2016. Companies should consider following the legislative process and assessing how the new rules may impact their business.

Click here to read our WSGR Alert that provides background information, highlights the top nine key points of the Proposal, and offers an overview of the next steps.

What’s a CID and What Happens If You Receive One from the FTC?

ThinkstockPhotos-482254719_webThose with experience working with the U.S. Federal Trade Commission (FTC) exchange any number of acronyms freely: CPB (Bureau of Consumer), DPIP (Division of Privacy and Identity Protection, part of the CPB), and, perhaps the most cryptic, CID, writes Sam Pfeifle in a new post on The Privacy Advisor from the IAPP.

CID stands for “civil investigative demand,” and if you receive one of these letters, it means the CPB is investigating possible “unfair or deceptive acts or practices” at your organization, notes Pfeifle.

Christopher Olsen, who’s both issued CIDs as deputy director of the CPB and helped companies manage them as part of his role as a partner in the privacy and data protection practice at Wilson Sonsini Goodrich & Rosati, recently spoke on the topic of CIDs as part of the IAPP’s Practical Privacy Series in Washington, D.C.

Click here to read the IAPP’s report on the event.

FCC Orders Far-Reaching New Privacy and Data Security Rules

ThinkstockPhotos-516657408_webAs expected, the Federal Communications Commission (FCC) has handed down sweeping new privacy and security rules for Internet service providers (ISPs). On Thursday, October 27, 2016, a sharply divided commission voted to enact these new rules, which impose strict new requirements for ISPs’ collection, use, sharing, and protection of their customers’ information, including information ISPs receive about their customers’ geolocation and online activities. Consequently, ISPs will soon be subject to heightened notice and consent requirements for activities such as behavioral advertising and other online tracking, as well as more robust security and data breach notification obligations. Up until now, there have not been specific FCC privacy rules that govern ISPs’ handling of such data. ISPs and members of the online advertising industry objected strenuously to numerous aspects of the FCC’s proposed rules, including the FCC’s classification of web browsing behavior as sensitive information subject to opt-in consent, an approach at odds with that of the Federal Trade Commission (FTC), the nation’s primary regulator of commercial privacy and security interests. Ultimately, the FCC waved off those objections in adopting its final rules.

The FCC’s action today represents the culmination of a rulemaking process that the FCC initiated in 2015. At that time, as part of the Open Internet Order, the FCC made the decision to apply the privacy requirements of Section 222 of the Communications Act—which had previously only governed telephone services—to the world of broadband. The FCC adopted a Notice of Proposed Rulemaking (NPRM) in March 2016 to address a host of questions regarding how Section 222 applies to broadband providers. On October 6, 2016, FCC Chairman Tom Wheeler circulated to his fellow commissioners a proposed Order, which was approved earlier today by a 3-2 vote. The final Order has not yet been released.

Click here to read our complete WSGR Alert summarizing the aspects of the FCC’s decision that we believe will be of the greatest significance to our clients.

Article 29 Working Party Issues Statement Following Adoption of EU-U.S. Privacy Shield

 On July 26, 2016, the body of European Data Protection Authorities (DPAs)—the “Article 29 Working Party” (WP29)—issued a statement commending the improvements made to the EU-U.S. Privacy Shield (Privacy Shield). Although the WP29 continues to have some of the concerns raised in its April 2016 opinion, and the Privacy Shield will most likely face legal challenge, the Privacy Shield is a valid tool for companies transferring data from the EU to the U.S. Companies can begin registering for the Privacy Shield on August 1, 2016.

The WP29 statement indicates that it will pay close attention to the annual joint review called for in the framework and to ensuring that individuals may effectively exercise their rights under the Privacy Shield. The WP29 emphasizes that it will closely monitor the functioning of the Privacy Shield and will not hesitate to request changes that it believes are warranted as a result of the first annual review of the Privacy Shield framework.

Click here to read our complete WSGR Alert discussing the WP29 statement.

The EU-U.S. Privacy Shield Is Adopted and Available as of August 1, 2016

 On July 12, 2016, the EU Commission and the U.S. Secretary of Commerce announced the adoption of the EU-U.S. Privacy Shield (Privacy Shield). This announcement follows today’s adequacy decision by the College of EU Commissioners which recognizes that the Privacy Shield provides an adequate level of protection under EU data protection law. The adequacy decision represents formal approval of the Privacy Shield as a legal basis for data transfers from the EU to the U.S.

Privacy Shield certification will be available to companies as of August 1, 2016. Although the adoption of the Privacy Shield is a welcome development, it does not eliminate the recent legal uncertainty that has surrounded data transfers from the EU to the U.S., as the Privacy Shield is expected to face legal challenges before DPAs and courts.

Certification to the Privacy Shield is not a mere formality. Before certifying, companies should carefully review the Privacy Shield principles and the supplemental principles to assess whether it is a workable data transfer solution for their business. Noncompliance may expose companies to significant sanctions.

Click here to read our complete WSGR Alert discussing the new Privacy Shield.