For more than 30 years, the Kansas City Media and the Law Seminar has been at the forefront of important discussions in the media bar. As this year’s committee chair, I may be a bit biased, but I think the focus of the seminar coming up on May 3-4 is one of the most important topics we have tackled to date: The impact of technology, culture, and politics on media freedoms. There’s no doubt that our media and political climate has changed dramatically over the past few years, and technology continues to push the envelope as laws struggle to keep up. It’s fascinating to think that at least half of this year’s panels involve topics that didn’t even exist when this seminar started — things like “social media,” “fake news,” and “Tweets.” Continue Reading Join Vedder Price at the 31st annual Media and the Law Seminar
On April 10, 2018, the Federal Financial Institutions Examination Council (the “FFIEC”), an interagency body composed of the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency and the State Liaison Committee, issued guidance to assist financial institutions in analyzing the use of cyber insurance in an effective risk management program (the “Guidance”).
Overview of the Ruling
On March 16, 2018, just before tip-off in the first round of the NCAA tournament, the D.C. Circuit provided the TCPA defense bar with a new playbook of sorts, in the form of a decision that will surely change the game for TCPA litigation. The case, of course, is ACA International v. FCC, and the ruling came down nearly 18 months after oral arguments. ACA Int’l et al. v. FCC, No. 15-1211, Doc. No. 1722606 (D.C. Cir. Mar. 16, 2018). It appears to be worth the wait as the D.C. Circuit slam dunked the former definition of automated telephone dialing equipment (“ATDS”) and the “one-call safe harbor” rule for reassigned numbers.
What Is GDPR?
The EU General Data Protection Regulation (GDPR),—described as “the most important change in data privacy regulation in 20 years”—becomes enforceable by law on May 25, 2018. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Expected to comply are organizations located within the EU; that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing in the EU.
A North Carolina bill designed to strengthen the state’s data breach notification statute could radically change incident response. Through the Act to Strengthen Identity Theft Protections, North Carolina could quickly become one of the strictest jurisdictions for data security in the country. The text of the bill has not yet been made public, but a fact sheet released earlier this month indicates that North Carolina may take drastic steps to address the fact that 5.3 million North Carolinians were impacted by data breaches in 2017. Continue Reading Data Breach Notification Revisions in North Carolina Would Bring Radical Change
As 2017 comes to a close and companies look to planning initiatives for 2018, there is one date that should be front and center for privacy professionals: May 25, 2018. That is the date that the EU’s General Data Protection Regulation (GDPR) goes into effect, meaning that any company dealing with EU consumer data needs to have a plan in place. The GDPR has been looming for almost two years now (since its adoption on April 27, 2016), so hopefully most companies impacted by the regulation have already begun to implement compliance mechanisms. But if not, it’s not too late.
We have written previously in this space about what the scope of the GDPR requirements. The question now is what companies covered by the GDPR should be doing as they head into 2018. Here are some critical steps to make sure you are on track to ensure GDPR compliance:
The following August 28 blog post inspired the Law360 article, “Employers Should Be Wary Of Turning Over Employee Info,” published on October 5, 2017. See full article below.
When a government agency requests the contact information for a company’s employees, whether by subpoena, CID or otherwise, its knee-jerk reaction may be to produce the data without a second thought. After all, failing to comply with an agency’s information request can have serious consequences, including significant fines and attorneys’ fees. However, employers are also obligated to protect their employees’ personal information from improper disclosure. In fact, most states have passed data privacy and security laws to protect employees’ personal information against unauthorized use and identity theft. A recent ruling authored by a Department of Labor Administrative Law Judge offers some tips to employers facing demands for their employees’ confidential personal information.
In July, ALJ Steven Berlin ruled that the DOL Office of Federal Contract Compliance’s demand for employee contact information from Google was overbroad and intrusive on employee privacy. The OFCCP requested the name, address, telephone number and personal e-mail address of over 25,000 Google employees in connection with an audit of the tech giant’s compensation practices. Judge Berlin substantially limited the OFCCP’s request, citing a number of employee privacy concerns. Continue Reading Lessons for Employers from a Recent ALJ Decision Narrowing the DOL’s Requests for Employees’ Contact Information
In the past few weeks, five putative class action lawsuits have been filed under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., targeting defendants in the health care, senior living, commercial baking, meat processing and security industries. These recent suits join previously filed BIPA class actions against day care operators, tanning salons, video game manufacturers, hotel groups and supermarkets as well as much larger entities, including Facebook, Google, Shutterfly, Six Flags and Snapchat. All of these suits have similar allegations at their core; that defendants utilized employees’, customers’, or other persons’ biometric identifiers, such as fingerprints, voiceprints, retina scans or facial recognition technology, in violation of BIPA’s disclosure and consent requirements. All seek recovery of BIPA’s statutory liquidated damages of $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation, injunctive relief, and recovery of attorneys’ fees and costs.
Until the past 18 months, when the first of these suits was filed, BIPA has been a little-known statute. Enacted in 2008, BIPA was passed to protect against risk of identity theft resulting from the growing use of biometric technology to facilitate financial transactions and security screenings. 740 ILCS 14/5.
BIPA applies to both biometric identifiers, such as fingerprints, voiceprints, retina scans, and facial geometry, and other biometric information based on those identifiers to the extent used to identify an individual. 740 ILCS 14/10. BIPA is an important measure because, unlike such things as Social Security numbers and passwords that can be changed if necessary, biometrics are biologically unique and, when compromised, leave an individual without recourse. 740 ILCS 14/5. Continue Reading The Rise of Biometric Lawsuits in Illinois
The EU’s General Data Protection Regulation (679/2016/EU), the GDPR, comes into force across the EU on 25 May 2018. As it is being made by regulation the GDPR, unlike the existing Data Protection Directive (implemented into the UK by the Data Protection Act 1998), will have direct effect throughout the EU. National governments will have some limited scope to tailor certain of its provisions to their jurisdiction. However, the GDPR will significantly harmonise the current national data protection laws across the EU.
Notwithstanding Brexit, the UK government has indicated its intention to implement the GDPR in full. The UK regulator’s (the Information Commissioner’s Office) powers and ability to work seamlessly with other national EU regulators will form a negotiation point in the coming Brexit deal. Continue Reading EU General Data Protection Regulation: A Summary for Non-EU Businesses