The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.

Various European regulators, including the UK’s Information Commissioner’s Office (ICO) have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover.  US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.

In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:

Continue Reading UK-US Data Transfers Post Brexit

Lock on Computer

On February 9, 2022, the Securities and Exchange Commission (the SEC) issued proposed rules 206(4)-9 under the Investment Advisers Act of 1940, as amended (Advisers Act) and 38a-2 under the Investment Company Act of 1940 (Investment Company Act) (such rules collectively referred to as the ‘cybersecurity risk management rules’), to require investment advisers registered under the Advisers Act (advisers) and registered investment companies under the Investment Company Act (funds) to adopt and implement significant new written cybersecurity policies and procedures. At a high level, the proposed rules would require annual reviews, add new disclosure requirements, and add new SEC and investor reporting requirements, among other requirements.
Continue Reading SEC Proposes New Cybersecurity Rules for Investment Advisers and Investment Companies

FingerprintIn yet another blow to employers facing claims under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.), the Illinois Supreme Court held that the Illinois Workers’ Compensation Act (“IWCA”) (820 ILCS 305/1 et seq.) does not preempt BIPA claims for statutory damages brought by employees.  The Court’s holding in McDonald v. Symphony Bronzeville Park, LLC, et al. awas not unexpected by most BIPA practitioners, and will likely trigger the resumption of many dozens of BIPA workplace lawsuits which were stayed while the Illinois justices considered the case.
Continue Reading Illinois Supreme Court Eliminates Another BIPA Defense

Phone and gavelThanks to the Supreme Court’s decision in Facebook v. Duguid, 141 S. Ct. 1163 (2021), 2021 will go down as one of the most significant years in the history of the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”).  And while the second half of 2021 did not produce the fireworks that we saw earlier in the year, there are still some cases worthy of note as we enter the new year.  We summarize here developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: 2021 came in like a lion, and went out more like a lamb for TCPA law (TCPA Case Update Vol. 16)

The U.S. Supreme Court dealt a blow last week to litigants—both criminal and civil—who have attempted to use the “exceeds authorized access” provision of the Computer Fraud and Abuse Act (“CFAA” or “Act”), 18 U.S.C. § 1030, to hold former employees, competitors and others accountable for inappropriately utilizing electronic information.  In its 6-3 decision in Van Buren v. United States, the Court resolved a long-standing split on the scope of Section 1030(a)(2), providing a narrow answer to the question of whether an individual “exceeds authorized access” to electronic information in violation of the CFAA if he or she is authorized to access the information but does so for an improper purpose.  The holding will make it more difficult for prosecutors and civil litigants to wield the CFAA in some scenarios where data is misused, but not necessarily stolen.
Continue Reading Supreme Court Slashes CFAA Claims Involving Authorized Access for an Illicit Purpose

The following August 28 blog post inspired the Law360 article, “Employers Should Be Wary Of Turning Over Employee Info,” published on October 5, 2017. See full article below.

When a government agency requests the contact information for a company’s employees, whether by subpoena, CID or otherwise, its knee-jerk reaction may be to produce the data without a second thought. After all, failing to comply with an agency’s information request can have serious consequences, including significant fines and attorneys’ fees. However, employers are also obligated to protect their employees’ personal information from improper disclosure. In fact, most states have passed data privacy and security laws to protect employees’ personal information against unauthorized use and identity theft. A recent ruling authored by a Department of Labor Administrative Law Judge offers some tips to employers facing demands for their employees’ confidential personal information.[1]

In July, ALJ Steven Berlin ruled that the DOL Office of Federal Contract Compliance’s demand for employee contact information from Google was overbroad and intrusive on employee privacy. The OFCCP requested the name, address, telephone number and personal e-mail address of over 25,000 Google employees in connection with an audit of the tech giant’s compensation practices. Judge Berlin substantially limited the OFCCP’s request, citing a number of employee privacy concerns.
Continue Reading Lessons for Employers from a Recent ALJ Decision Narrowing the DOL’s Requests for Employees’ Contact Information

If you follow developments in TCPA case law, you’ve probably heard by now that the DC Circuit Court of Appeals last week overturned the 2015 FCC Order that had required TCPA opt-out notices on both solicited and unsolicited faxes. The court held that the FCC’s rule was “unlawful to the extent that it requires opt-out notices on solicited faxes.” See Bais Yaakov of Spring Valley v. FCC, et al., Case No. 14-1234 (D.C. Cir.). In fact, the DC Circuit—despite years of FCC guidance, 13 consolidated appeals and more than two dozen lawyers participating in the briefing—seemed to view this as a relatively simple issue of statutory construction: “The text of the Act provides a clear answer to the question presented in this case. . . . Congress drew a line in the text of the statute between unsolicited fax advertisements and solicited fax advertisements. Unsolicited fax advertisements must include an opt-out notice. But the Act does not require (or give the FCC authority to require) opt-out notices on solicited fax advertisements. It is the Judiciary’s job to respect the line drawn by Congress, not to redraw it as we might think best.”
Continue Reading DC Circuit Opts Out of Flawed FCC Ruling

Smiling PigPlaintiffs’ lawyers across the land have trumpeted the U.S. Supreme Court’s decision in Spokeo as a victory (or at least not a loss). Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).  At least one plaintiff’s lawyer has gone so far as to suggest that defense lawyers who raise Spokeo-based arguments should fear sanctions.  As a Southern colleague of mine would say, those lawyers are trying to make a silk purse of a sow’s ear.

Although many post-Spokeo decisions have not yielded dismissal, many have, and they have done so based largely on Spokeo, which does more than reaffirm prior notions of standing and rather strengthens them in a way that is quite beneficial to corporate defendants facing trumped-up claims with no real harm.  One of the most recent defense victories post-Spokeo is Meyers v. Nicolet Rest. of De Pere, LLC, 2016 U.S. App. LEXIS 22139 (7th Cir. Dec. 13, 2016).
Continue Reading Spokeo Was a Loss for Plaintiffs, Seventh Circuit Reaffirms

After nine months of intense negotiations and uncertainty, and despite ongoing criticisms from powerful data protection regulators, the new EU-U.S. Privacy Shield program went into effect this week as the U.S. Department of Commerce began accepting applications online. Some companies that are self-certifying their compliance have already submitted their documentation and many more are expected to do so in the coming days and weeks as they seek shelter under the replacement for the long-standing EU-U.S. Safe Harbor arrangement that was invalidated by the European Court of Justice last year.

Companies can now “sign up” for the Privacy Shield list, but they should not expect a rubber stamp from the Commerce Department just because they have self-certified. To ensure that their applications are approved, companies should take the following steps:

  • Confirm that they are eligible to participate—not all organizations are. Only companies subject to the jurisdiction of the FTC or the DOT may participate at this time
  • Develop a Privacy Shield-compliant privacy policy statement
  • Identify their independent recourse mechanism—under the new framework, self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual
  • Ensure that they have compliance verification mechanisms in place
  • Designate contacts within their organizations to serve as liaisons regarding the Privacy Shield
  • Review the information required to self-certify
  • Go online to www.privacyshield.gov to self-certify


Continue Reading Time to Raise Your Shield: The New EU-U.S. Framework Is Here

It’s been awhile since last we published for our firm blog Media & Privacy Risk Report, and one thing is largely to blame: ransomware attacks on our clients have been keeping us very busy. We’ve learned many lessons from these attacks that we plan to share over the coming months with our readers. But the focus of this post is recent guidance from the Office of Civil Rights of the Department of Health and Human Services (OCR) indicating that any ransomware attack involving protected health information PHI) could be a data breach with Health Insurance Portability and Accountability Act (HIPAA) reporting obligations.

Often in ransomware matters, a hacker encrypts data and demands that a ransom be paid (usually in Bitcoin) before the hacker will decrypt the data and make it once again accessible to the data owner (or covered entity) or maintainer (or business associate). But just because a hacker has frozen your data, does that mean that the hacker has accessed, acquired or exfiltrated your data? Isn’t it possible that a hacker could freeze your data without accessing, acquiring or exfiltrating it? By analogy, couldn’t someone render the locks on your house unusable (and thus your house inaccessible to you without a forced break-in) without actually accessing your house, acquiring anything within your house, or taking anything out of your house? It would seem that the answer would be yes. But if the OCR is asked that question, the presumption is that the answer is no, at least in the realm of ransomware attacks.
Continue Reading OCR: Ransomware Attack Often Is a Data Breach