Cybersecurity

Subscribe to Cybersecurity via RSS

On June 1, 2018, the Alabama Data Breach Notification Act of 2018 will take effect. In addition to being the last state to enact a breach notification law, Alabama’s new law distinguishes itself in a variety of unique ways.

Consistent with other state breach notification laws, the new law defines “sensitive personally identifying information” maintained in electronic form (covered information) broadly. In addition to government issued forms of identification and financial account numbers, covered information includes an individual’s medical history, mental or physical condition, or medical treatment or diagnostic information when combined with the resident’s name. In addition, usernames or email addresses, in combination with a password or security question and answer, are also classified as covered information, but only if the account is affiliated with the entity that experienced the breach, and only if such credentials would permit access to an online account that is “reasonably likely to contain or is used to obtain” sensitive personally identifying information (i.e., if the username or email address and password grant access to covered information that triggers the notification requirement). These important caveats limit the circumstances in which entities that maintain covered information (covered entities) must notify Alabama residents of breaches involving usernames or email addresses and passwords.
Continue Reading Alabama Becomes Final State to Enact Data Breach Notification Law

On February 26, 2018, the U.S. Court of Appeals for the Ninth Circuit issued an en banc decision in FTC v. AT&T holding that the Federal Trade Commission (FTC) Act’s “common carrier” exemption is activity-based, reversing the panel’s decision that the exemption is status-based, which would have opened a large enforcement gap for telecommunications companies like AT&T. This is an important decision in terms of FTC jurisdiction: it means that the FTC can and will continue to regulate common carriers to the extent that they provide non-common-carrier services, such as mobile internet services.

Section 5 of the FTC Act gives the commission enforcement authority over unfair and deceptive acts or practices, but exempts “common carriers subject to the Acts to regulate commerce.” Unsurprisingly, the question of whether a company qualifies as a “common carrier” under the exemption is a loaded and complicated one. If an entity falls within the exemption, the FTC cannot bring an enforcement action against it for conduct it considers harmful to consumers. Conversely, companies that fall outside the exemption are subject to FTC regulation, leaving them open to liability for unfair or deceptive conduct, and requiring that they comply with a long list of FTC rules.
Continue Reading “Two Cops on the Beat is Nothing Unusual”: Ninth Circuit Reverses Panel Decision, Rules FTC Act’s “Common Carrier” Exemption is Activity-Based

On February 27, 2018, the Federal Trade Commission (FTC) announced1 that it had reached an agreement with PayPal to settle allegations that its peer-to-peer payment service, Venmo, engaged in deceptive acts and practices and violated the Gramm-Leach-Bliley Act (GLBA)’s Safeguards Rule2 and Privacy Rule.3 Since 2011, Venmo has offered peer-to-peer payment services through an app that consumers can download, link to their external bank accounts, and use to transfer and receive money to and from other users. In its complaint, the FTC alleged that PayPal, through Venmo, failed to adequately disclose that: (1) it could freeze or remove funds credited to a customer’s account; (2) the Default Audience Setting did not ensure that future transactions were visible only to chosen audiences; and (3) the Individual Audience Setting did not ensure that any single transaction was visible only to the chosen audience. The FTC also alleged that PayPal, through Venmo: (1) misrepresented that it protected consumers’ information with “bank-grade security systems;” (2) failed to protect the security, confidentiality, and integrity of customer information in violation of the GLBA’s Safeguards Rule; and (3) failed to send an adequate initial privacy notice to customers detailing its privacy policies and practices in violation of the GLBA’s Privacy Rule.4
Continue Reading FTC Announces Settlement with PayPal for Alleged FTC Act and GLBA Violations by Venmo

2018 promises to be an interesting year in the world of privacy and cybersecurity. In this article, we highlight a few of the most notable developments we expect this year, including major developments in Europe, changes and pending cases at the Federal Trade Commission (FTC), notable U.S. Supreme Court cases scheduled to be decided this year, and some areas of legislation that actually may become law in the U.S.

Big Changes Taking Effect in the European Union

One of the biggest areas where everyone in the privacy field will be looking in 2018 is the European Union (EU). On the legislative front, the General Data Protection Regulation (GDPR) will enter into force on May 25, 2018; the proposed e-Privacy Regulation is scheduled to be adopted this year; and the EU parliament will issue a report on the proposed Regulation on Non-Personal Data. Additionally, the Court of Justice of the EU (CJEU) will rule on several important data protection cases, including on third-party tracking, the right to be forgotten, and the possibility of class actions.Continue Reading A Look Ahead at Privacy and Data Security in 2018

On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo, Inc., regarding the company’s practice of pre-loading advertising software on its laptops that compromised consumers’ cybersecurity and privacy.1 In many respects, the case was reasonably straightforward: the facts as alleged were clear, and the terms of the settlement were not unusual. But what makes this case interesting are the dueling concurrences issued by Acting Chairman Ohlhausen and Commissioner McSweeny regarding the FTC’s authority to challenge omissions. These concurrences continue a debate that has been stirring on and off at the FTC for more than 30 years, and they raise important questions about the agency’s future enforcement priorities.
Continue Reading To Disclose or Not To Disclose: The FTC’s Dueling Concurrences over Deceptive Omissions in Lenovo