A North Carolina bill designed to strengthen the state’s data breach notification statute could radically change incident response. Through the Act to Strengthen Identity Theft Protections, North Carolina could quickly become one of the strictest jurisdictions for data security in the country. The text of the bill has not yet been made public, but a fact sheet released earlier this month indicates that North Carolina may take drastic steps to address the fact that 5.3 million North Carolinians were impacted by data breaches in 2017. Continue Reading Data Breach Notification Revisions in North Carolina Would Bring Radical Change
As 2017 comes to a close and companies look to planning initiatives for 2018, there is one date that should be front and center for privacy professionals: May 25, 2018. That is the date that the EU’s General Data Protection Regulation (GDPR) goes into effect, meaning that any company dealing with EU consumer data needs to have a plan in place. The GDPR has been looming for almost two years now (since its adoption on April 27, 2016), so hopefully most companies impacted by the regulation have already begun to implement compliance mechanisms. But if not, it’s not too late.
We have written previously in this space about what the scope of the GDPR requirements. The question now is what companies covered by the GDPR should be doing as they head into 2018. Here are some critical steps to make sure you are on track to ensure GDPR compliance:
The following August 28 blog post inspired the Law360 article, “Employers Should Be Wary Of Turning Over Employee Info,” published on October 5, 2017. See full article below.
When a government agency requests the contact information for a company’s employees, whether by subpoena, CID or otherwise, its knee-jerk reaction may be to produce the data without a second thought. After all, failing to comply with an agency’s information request can have serious consequences, including significant fines and attorneys’ fees. However, employers are also obligated to protect their employees’ personal information from improper disclosure. In fact, most states have passed data privacy and security laws to protect employees’ personal information against unauthorized use and identity theft. A recent ruling authored by a Department of Labor Administrative Law Judge offers some tips to employers facing demands for their employees’ confidential personal information.
In July, ALJ Steven Berlin ruled that the DOL Office of Federal Contract Compliance’s demand for employee contact information from Google was overbroad and intrusive on employee privacy. The OFCCP requested the name, address, telephone number and personal e-mail address of over 25,000 Google employees in connection with an audit of the tech giant’s compensation practices. Judge Berlin substantially limited the OFCCP’s request, citing a number of employee privacy concerns. Continue Reading Lessons for Employers from a Recent ALJ Decision Narrowing the DOL’s Requests for Employees’ Contact Information
In the past few weeks, five putative class action lawsuits have been filed under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., targeting defendants in the health care, senior living, commercial baking, meat processing and security industries. These recent suits join previously filed BIPA class actions against day care operators, tanning salons, video game manufacturers, hotel groups and supermarkets as well as much larger entities, including Facebook, Google, Shutterfly, Six Flags and Snapchat. All of these suits have similar allegations at their core; that defendants utilized employees’, customers’, or other persons’ biometric identifiers, such as fingerprints, voiceprints, retina scans or facial recognition technology, in violation of BIPA’s disclosure and consent requirements. All seek recovery of BIPA’s statutory liquidated damages of $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation, injunctive relief, and recovery of attorneys’ fees and costs.
Until the past 18 months, when the first of these suits was filed, BIPA has been a little-known statute. Enacted in 2008, BIPA was passed to protect against risk of identity theft resulting from the growing use of biometric technology to facilitate financial transactions and security screenings. 740 ILCS 14/5.
BIPA applies to both biometric identifiers, such as fingerprints, voiceprints, retina scans, and facial geometry, and other biometric information based on those identifiers to the extent used to identify an individual. 740 ILCS 14/10. BIPA is an important measure because, unlike such things as Social Security numbers and passwords that can be changed if necessary, biometrics are biologically unique and, when compromised, leave an individual without recourse. 740 ILCS 14/5. Continue Reading The Rise of Biometric Lawsuits in Illinois
The EU’s General Data Protection Regulation (679/2016/EU), the GDPR, comes into force across the EU on 25 May 2018. As it is being made by regulation the GDPR, unlike the existing Data Protection Directive (implemented into the UK by the Data Protection Act 1998), will have direct effect throughout the EU. National governments will have some limited scope to tailor certain of its provisions to their jurisdiction. However, the GDPR will significantly harmonise the current national data protection laws across the EU.
Notwithstanding Brexit, the UK government has indicated its intention to implement the GDPR in full. The UK regulator’s (the Information Commissioner’s Office) powers and ability to work seamlessly with other national EU regulators will form a negotiation point in the coming Brexit deal. Continue Reading EU General Data Protection Regulation: A Summary for Non-EU Businesses
On July 10, 2017, the Consumer Financial Protection Bureau (the “CFPB”) finalized its proposed arbitration rule that will prohibit providers of certain consumer financial products and services from requiring a consumer to utilize mandatory pre-dispute arbitration in lieu of a consumer filing or participating in a class action (“Arbitration Rule”). In other words, no longer may covered entities require a consumer to use arbitration in lieu of class action participation. This Arbitration Rule will likely have far ranging consequences for covered providers, including mandatory updates to consumer agreements, likely increases to legal and compliance costs and increased operational risks in new consumer products.
Congress directed the CFPB to study pre-dispute arbitration agreements in the Dodd-Frank Wall Street Reform and Consumer Protection Act (“the Dodd-Frank Act”). The Dodd-Frank Act also authorized the CFPB, after completing the study, to issue regulations restricting or prohibiting the use of arbitration agreements if the CFPB found that such rules would be in the public interest and for the protection of consumers. In 2015, the CFPB published and delivered to Congress a study of arbitration. On May 24, 2016, the CFPB proposed the Arbitration Rule with a request for comment. Since May 2016 the CFPB has been silent, leading many in the financial services industry to believe that, with the change in administration, the CFPB had abandoned the Arbitration Rule. In finalizing the Arbitration Rule, the CFPB has answered the industry’s long outstanding question. Would the CFPB be more moderate in its approach in issuing regulation that drastically impacts financial services providers? The industry has its answer. The CFPB has answered in the negative. Continue Reading Another Day, Another Regulation: A Summary and Description of the CFPB’s Arbitration Rule
On June 19, 2017, the United States Supreme Court held that a portion of the first clause of the U.S. Trademark Law (the “Lanham Act”), which is commonly known as the disparagement clause, was facially unconstitutional under the First Amendment. Specifically, the Supreme Court found that a denial of registration of a mark under the disparagement clause of the Lanham Act, which prohibits registration of a mark that may “disparage … or bring … into contemp[t] or disrepute” any “persons, living or dead,” violates the Free Speech Clause of the First Amendment. The ruling, while rather shocking as to its reach, came as no surprise to the trademark community. This decision now casts a shadow on the remainder of what is called Section 2(a)1 and opens the door to further expansion of our understanding of speech.
This litigation began when Mr. Simon Shiao Tam, a humble guitar player in a band made up of Asian-American men that called itself The Slants, pushed to change the law. Mr. Tam’s fight began at the Trademark Office in 2010, when he filed an application to register the name of his band as a trademark.2 In 2011, Mr. Tam’s first application to register the band’s name as a trademark was denied under the disparagement clause. After Mr. Tam refiled a second application for the mark THE SLANTS and was rejected on the same grounds, he appealed the rejection to the Trademark Trial and Appeal Board, the Federal Circuit Court of Appeals, and ultimately the Supreme Court.3 Continue Reading The Slants Win in Matal v. Tam: Trademark Registration Cannot Be Denied for Offensive Terms
This is the fourth in a series of blog articles relating to the topics to be discussed at the 30th Annual Media and the Law Seminar in Kansas City, Missouri on May 4-5, 2017. Blaine C. Kimrey and Bryan K. Clark of Vedder Price are on the planning committee for the conference. In this article, we discuss how CNN is using advertising guidelines to fight back at being labeled “fake news.” The intersection of technology, truth, and the First Amendment will be among the topics to be discussed at the 2017 seminar.
Since the 2016 presidential election, the term “fake news” has become a ubiquitous part of our media and political vocabulary. But as we all know, the “fake news” label is often, well, “fake.” So what can media entities do when they are unfairly tagged with the “fake news” moniker? Normally not much—the First Amendment would make it rather difficult to challenge the truth of a such a hyperbolic claim (and realistically, the media has no real interest in curtailing these free speech rights). CNN, however, has found a way to fight back that is sure to stir debate in media, legal and political circles. Continue Reading Is It “Fake News” To Call The Media “Fake News?”
This is the third in a series of blog articles relating to the topics to be discussed at the 30th Annual Media and the Law Seminar in Kansas City, Missouri on May 4-5, 2017. Blaine C. Kimrey and Bryan K. Clark of Vedder Price are on the planning committee for the conference. In this article, we discuss the Tor Browser and its relationship to privacy laws. Tor’s impact on anonymous speech and the tension between First Amendment rights and online threats to reputation, privacy and public safety will be among the topics discussed at the 2017 seminar.
Even among somewhat sophisticated privacy professionals and lawyers, the Tor Browser is sometimes a bit of a mystery. What is Tor, is it even legal, and, if so, what are the pros and cons associated with Tor? At a fundamental level, Tor is actually quite simple—Tor protects the privacy of its users by spreading communications across of a series of servers around the world to make it difficult to determine who or where the individual user is. Tor is a volunteer operation and it is available to anyone willing and able to download the free software from Tor’s Web site.
In some circles, using Tor has taken on a negative connotation because (not surprisingly) individuals engaged in nefarious activities online have turned to Tor as a way to mask their identities. But there is nothing per se illegal about using Tor, and it can be a legitimate way to avoid unwanted digital tracking from corporations and circumvent censorship in countries under the thumb of oppressive regimes. In fact, the U.S. State Department has contributed millions of dollars over the years to help with the development of Tor in the interest of encouraging free speech in other countries. Continue Reading Tor Presents Compelling Privacy Puzzle