Just when you thought it was safe to open your e-mail again without being inundated with updated privacy policies, here comes the California Consumer Privacy Act of 2018 (“CCPA”). The new law, which goes into effect on January 1, 2020, will expand the privacy rights of California residents and bring some of the EU’s widely discussed General Data Protection Regulation (“GDPR”) to the United States. There will be lots to talk about over the next year and a half as companies gear up for compliance, but here are some key features to be aware of:
On April 10, 2018, the Federal Financial Institutions Examination Council (the “FFIEC”), an interagency body composed of the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency and the State Liaison Committee, issued guidance to assist financial institutions in analyzing the use of cyber insurance in an effective risk management program (the “Guidance”).
This is the third in a series of blog articles relating to the topics to be discussed at the 30th Annual Media and the Law Seminar in Kansas City, Missouri on May 4-5, 2017. Blaine C. Kimrey and Bryan K. Clark of Vedder Price are on the planning committee for the conference. In this article, we discuss the Tor Browser and its relationship to privacy laws. Tor’s impact on anonymous speech and the tension between First Amendment rights and online threats to reputation, privacy and public safety will be among the topics discussed at the 2017 seminar.
Even among somewhat sophisticated privacy professionals and lawyers, the Tor Browser is sometimes a bit of a mystery. What is Tor, is it even legal, and, if so, what are the pros and cons associated with Tor? At a fundamental level, Tor is actually quite simple—Tor protects the privacy of its users by spreading communications across of a series of servers around the world to make it difficult to determine who or where the individual user is. Tor is a volunteer operation and it is available to anyone willing and able to download the free software from Tor’s Web site.
In some circles, using Tor has taken on a negative connotation because (not surprisingly) individuals engaged in nefarious activities online have turned to Tor as a way to mask their identities. But there is nothing per se illegal about using Tor, and it can be a legitimate way to avoid unwanted digital tracking from corporations and circumvent censorship in countries under the thumb of oppressive regimes. In fact, the U.S. State Department has contributed millions of dollars over the years to help with the development of Tor in the interest of encouraging free speech in other countries. Continue Reading Tor Presents Compelling Privacy Puzzle
Businesses have largely benefitted from the proliferation of mobile devices and text messaging apps that facilitate quick, round-the-clock communications. However, such technologies also make it increasingly difficult to monitor and control the unauthorized distribution of confidential data. On March 30, UK regulators fined a former managing director of Jeffries Group for divulging confidential client information. The banker, Christopher Niehaus, shared confidential information with two friends using WhatsApp, a popular text messaging app. The exposed information included the identity of a Jeffries Group client, the details of a deal involving the client, and the bank’s fee for the transaction. Perhaps the most surprising aspect of this story is that the leak was discovered at all. Because data sent on WhatsApp are encrypted and Mr. Niehaus used his personal mobile phone to send the messages, Jeffries Group only viewed the communications—and subsequently informed regulators—after Mr. Niehaus turned his device over to the bank in connection with an unrelated investigation. Continue Reading Encrypted Messaging Apps Create New Data Privacy Headaches for Employers
On December 6, 2016, the U.S. Supreme Court, in Samsung Electronics Co. Ltd., v. Apple Inc., 580 U.S. ____ (2016), unanimously ruled that in multicomponent products, the “article of manufacture” subject to an award of damages under 35 U.S.C. §289 is not required to be the end product sold to consumers but may only be a component of the product.
In 2007, when Apple launched the iPhone, it had secured several design patents in connection with the launch. When Samsung released a series of smartphones resembling the iPhone, Apple sued Samsung, alleging that the various Samsung smartphones infringed Apple’s design patents. A jury found that several Samsung smartphones did infringe those patents. Apple was awarded $399 million in damages for Samsung’s design patent infringement, the entire profit Samsung made from its sales of the infringing smartphones. The Federal Circuit affirmed the damages award, rejecting Samsung’s argument that damages should be limited because the relevant articles of manufacture were the front face or screen rather than the entire smartphone. Continue Reading U.S. Supreme Court Revisits Design Patent Damages
While the New Jersey Truth-in-Consumer Contract, Warranty and Notice Act (the TCCWNA) has been around for over 30 years, there has been a recent surge in the filing of class action lawsuits under the statute against businesses engaged in e-commerce. The statute was enacted in 1981 to regulate “consumer contracts, warranties, notices and signs contain[ing] provisions which clearly violate the rights of consumers.” Although such provisions are legally unenforceable, the legislature reasoned that “their very inclusion in a contract, warranty, notice or sign deceives a consumer into thinking that they are enforceable and for this reason the consumer often fails to enforce his rights.”
Initially, the statute was not used very much and remained dormant during the first 30 years following its enactment. Recently, however, the plaintiffs’ bar has resurrected the statute, targeting the website terms and conditions of businesses engaged in e-commerce. This resurrection began in 2013 as a result of the New Jersey Supreme Court holding that certificates issued by restaurants and offered for purchase by an Internet marketer are subject to TCCWNA rules1, and it has continued for a few reasons. First, plaintiffs are asserting that the TCCWNA is very broad in scope. Indeed, plaintiffs’ lawyers contend that it applies to consumers who suffered no actual injury. Additionally, the statute provides for statutory damages of $100 per customer as well as attorney’s fees and costs, which creates the potential for very large monetary awards. Finally, while more guidance is necessary to determine how courts will treat e-commerce TCCWNA claims, there have been several plaintiff-friendly TCCWNA decisions in New Jersey. Continue Reading New Jersey Consumer Statute Presents Trap for Unwary Retailers Engaged in E-Commerce
After nine months of intense negotiations and uncertainty, and despite ongoing criticisms from powerful data protection regulators, the new EU-U.S. Privacy Shield program went into effect this week as the U.S. Department of Commerce began accepting applications online. Some companies that are self-certifying their compliance have already submitted their documentation and many more are expected to do so in the coming days and weeks as they seek shelter under the replacement for the long-standing EU-U.S. Safe Harbor arrangement that was invalidated by the European Court of Justice last year.
Companies can now “sign up” for the Privacy Shield list, but they should not expect a rubber stamp from the Commerce Department just because they have self-certified. To ensure that their applications are approved, companies should take the following steps:
- Confirm that they are eligible to participate—not all organizations are. Only companies subject to the jurisdiction of the FTC or the DOT may participate at this time
- Identify their independent recourse mechanism—under the new framework, self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual
- Ensure that they have compliance verification mechanisms in place
- Designate contacts within their organizations to serve as liaisons regarding the Privacy Shield
- Review the information required to self-certify
- Go online to www.privacyshield.gov to self-certify
It’s been awhile since last we published for our firm blog Media & Privacy Risk Report, and one thing is largely to blame: ransomware attacks on our clients have been keeping us very busy. We’ve learned many lessons from these attacks that we plan to share over the coming months with our readers. But the focus of this post is recent guidance from the Office of Civil Rights of the Department of Health and Human Services (OCR) indicating that any ransomware attack involving protected health information PHI) could be a data breach with Health Insurance Portability and Accountability Act (HIPAA) reporting obligations.
Often in ransomware matters, a hacker encrypts data and demands that a ransom be paid (usually in Bitcoin) before the hacker will decrypt the data and make it once again accessible to the data owner (or covered entity) or maintainer (or business associate). But just because a hacker has frozen your data, does that mean that the hacker has accessed, acquired or exfiltrated your data? Isn’t it possible that a hacker could freeze your data without accessing, acquiring or exfiltrating it? By analogy, couldn’t someone render the locks on your house unusable (and thus your house inaccessible to you without a forced break-in) without actually accessing your house, acquiring anything within your house, or taking anything out of your house? It would seem that the answer would be yes. But if the OCR is asked that question, the presumption is that the answer is no, at least in the realm of ransomware attacks. Continue Reading OCR: Ransomware Attack Often Is a Data Breach
On Wednesday, President Obama signed the federal Defend Trade Secrets Act of 2016 (the “Act”) that passed both houses of Congress in late April. The statute is the first federal statutory protection afforded to trade secrets and could have a significant impact on trade secrets litigation nationwide. The passage of the law comes as no surprise, and much has already been written about what it means for the future of these disputes. But what about those who are currently involved in trade secrets litigation —could the Act change the course of those cases? There is not a definitive answer, but it is something that all litigants should consider now that the Act has become law.
The first question is whether the Act applies at all in such instances. The Act applies to “any misappropriation of a trade secret (as defined in section 1839 of title 18, United States Code, as amended by this section) for which any act occurs on or after the date of the enactment of this Act.” S. 1890, 1144th Cong. § 2(e) (emphasis added). “Misappropriation” is defined as “(A) acquisition of a trade secret of another by a person who knows or has reason to know that the trade secret was acquired by improper means; or (B) disclosure or use of a trade secret of another without express or implied consent. 18 U.S.C. § 1839(5). So, in litigation where the “use” of trade secrets is ongoing, there may be an argument that the Act applies. Continue Reading Impact of Defend Trade Secrets Act on Pending Cases is Unclear
On May 11, 2016, President Obama signed into law the Defend Trade Secrets Act (DTSA). Unlike other forms of intellectual property, trade secrets issues have been addressed mainly through state law. The DTSA provides a new federal court civil remedy for acts of trade secret misappropriation, among other key provisions:
Ex Parte Seizure of Property
The most controversial aspect of the DTSA is the ex parte seizure provision, which permits a court to order the seizure of property if deemed necessary to prevent the propagation or dissemination of the trade secret. A party seeking an ex parte seizure will have to demonstrate that “extraordinary circumstances” exist warranting the seizure. The ex parte provision also allows a defendant to seek damages for abusive or wrongfully-acquired seizure orders.
The DTSA provides that the U.S. district courts have original jurisdiction over civil actions brought under the law. Such jurisdiction is not exclusive. To establish jurisdiction in federal court, a plaintiff will have to show that the trade secret is “related to a product or service used in, or intended for use in, interstate or foreign commerce.” Continue Reading President Obama Signs the Defend Trade Secrets Act into Law: What You Need to Know Now