On June 1, 2018, the Alabama Data Breach Notification Act of 2018 will take effect. In addition to being the last state to enact a breach notification law, Alabama’s new law distinguishes itself in a variety of unique ways.

Consistent with other state breach notification laws, the new law defines “sensitive personally identifying information” maintained in electronic form (covered information) broadly. In addition to government issued forms of identification and financial account numbers, covered information includes an individual’s medical history, mental or physical condition, or medical treatment or diagnostic information when combined with the resident’s name. In addition, usernames or email addresses, in combination with a password or security question and answer, are also classified as covered information, but only if the account is affiliated with the entity that experienced the breach, and only if such credentials would permit access to an online account that is “reasonably likely to contain or is used to obtain” sensitive personally identifying information (i.e., if the username or email address and password grant access to covered information that triggers the notification requirement). These important caveats limit the circumstances in which entities that maintain covered information (covered entities) must notify Alabama residents of breaches involving usernames or email addresses and passwords.
Continue Reading Alabama Becomes Final State to Enact Data Breach Notification Law

As application of the European Union’s (EU’s) General Data Protection Regulation (GDPR)1 quickly approaches, the enforcement authority of the European data protection authorities (DPAs) is rightfully on everyone’s mind. The power to issue monetary fines against non-compliant entities of up to four percent of the entity’s past year worldwide turnover is one of the GDPR’s most striking provisions.2 But, the GDPR also includes a provision that may prove to be equally important: giving individuals the right to bring collective legal action against non-compliant entities. If these collective actions become common, understanding by whom, under what grounds, and where these suits may be brought will be critical in assessing the importance of compliance and the benefits and risks of launching European data initiatives.
Continue Reading GDPR—Collective Actions Under the Privacy Banner

The expanding use of mobile technologies, cloud computing, and the Internet of Things has greatly increased the amount of available consumer data. The ability to efficiently process this information has the potential to provide countless consumer benefits. Nevertheless, companies must navigate an ever-expanding patchwork of domestic and foreign laws and uncertainty regarding the application of existing laws to new technologies. In addition, although regulators have commended the advancement and development of new consumer lending technologies, they also have warned that these new tools “carry the risk of disparate impact in credit outcomes and the potential for fair lending violations[.]” For companies under the authority of the Consumer Financial Protection Bureau (CFPB), the CFPB’s no-action letter (NAL) program offers a potential tool to help navigate these challenges. As described in the following article, however, the tool is not without risk for companies seeking regulatory guidance.
Continue Reading Starting Up the CFPB’s No-Action Letter Program

On July 21, 2017, Judge John A. Ross of the U.S. District Court for the Eastern District of Missouri issued a preliminary approval of a settlement agreement between the owner of AshleyMadison.com and the class representing former users whose personal information was breached in July 2015. Under terms of the settlement, Ruby Corp, the operator of the Ashley Madison website, is scheduled to pay $11.2 million. For some, the settlement announcement is a missed opportunity: the litigation represented a chance to clarify the scope of actionable consumer harm in breach-related litigation, as unlike in other notable breaches, the mere identification of individuals who used the website (and were thus affected by the breach) likely produced unwanted consequences. Nonetheless, the settlement agreement is interesting by itself, as it offers unique solutions to address class members seeking financial remuneration but wishing to avoid further publicity regarding their connection to AshleyMadison.com.
Continue Reading Ashley Madison: Life Is Short. Settle.