On April 10, 2018, the Federal Financial Institutions Examination Council (the “FFIEC”), an interagency body composed of the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency and the State Liaison Committee, issued guidance to assist financial institutions in analyzing the use of cyber insurance in an effective risk management program (the “Guidance”).
Overview of the Ruling
On March 16, 2018, just before tip-off in the first round of the NCAA tournament, the D.C. Circuit provided the TCPA defense bar with a new playbook of sorts, in the form of a decision that will surely change the game for TCPA litigation. The case, of course, is ACA International v. FCC, and the ruling came down nearly 18 months after oral arguments. ACA Int’l et al. v. FCC, No. 15-1211, Doc. No. 1722606 (D.C. Cir. Mar. 16, 2018). It appears to be worth the wait as the D.C. Circuit slam dunked the former definition of automated telephone dialing equipment (“ATDS”) and the “one-call safe harbor” rule for reassigned numbers.
What Is GDPR?
The EU General Data Protection Regulation (GDPR),—described as “the most important change in data privacy regulation in 20 years”—becomes enforceable by law on May 25, 2018. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Expected to comply are organizations located within the EU; that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing in the EU.
A North Carolina bill designed to strengthen the state’s data breach notification statute could radically change incident response. Through the Act to Strengthen Identity Theft Protections, North Carolina could quickly become one of the strictest jurisdictions for data security in the country. The text of the bill has not yet been made public, but a fact sheet released earlier this month indicates that North Carolina may take drastic steps to address the fact that 5.3 million North Carolinians were impacted by data breaches in 2017. Continue Reading Data Breach Notification Revisions in North Carolina Would Bring Radical Change
As 2017 comes to a close and companies look to planning initiatives for 2018, there is one date that should be front and center for privacy professionals: May 25, 2018. That is the date that the EU’s General Data Protection Regulation (GDPR) goes into effect, meaning that any company dealing with EU consumer data needs to have a plan in place. The GDPR has been looming for almost two years now (since its adoption on April 27, 2016), so hopefully most companies impacted by the regulation have already begun to implement compliance mechanisms. But if not, it’s not too late.
We have written previously in this space about what the scope of the GDPR requirements. The question now is what companies covered by the GDPR should be doing as they head into 2018. Here are some critical steps to make sure you are on track to ensure GDPR compliance:
The following August 28 blog post inspired the Law360 article, “Employers Should Be Wary Of Turning Over Employee Info,” published on October 5, 2017. See full article below.
When a government agency requests the contact information for a company’s employees, whether by subpoena, CID or otherwise, its knee-jerk reaction may be to produce the data without a second thought. After all, failing to comply with an agency’s information request can have serious consequences, including significant fines and attorneys’ fees. However, employers are also obligated to protect their employees’ personal information from improper disclosure. In fact, most states have passed data privacy and security laws to protect employees’ personal information against unauthorized use and identity theft. A recent ruling authored by a Department of Labor Administrative Law Judge offers some tips to employers facing demands for their employees’ confidential personal information.
In July, ALJ Steven Berlin ruled that the DOL Office of Federal Contract Compliance’s demand for employee contact information from Google was overbroad and intrusive on employee privacy. The OFCCP requested the name, address, telephone number and personal e-mail address of over 25,000 Google employees in connection with an audit of the tech giant’s compensation practices. Judge Berlin substantially limited the OFCCP’s request, citing a number of employee privacy concerns. Continue Reading Lessons for Employers from a Recent ALJ Decision Narrowing the DOL’s Requests for Employees’ Contact Information
In the past few weeks, five putative class action lawsuits have been filed under the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14/1 et seq., targeting defendants in the health care, senior living, commercial baking, meat processing and security industries. These recent suits join previously filed BIPA class actions against day care operators, tanning salons, video game manufacturers, hotel groups and supermarkets as well as much larger entities, including Facebook, Google, Shutterfly, Six Flags and Snapchat. All of these suits have similar allegations at their core; that defendants utilized employees’, customers’, or other persons’ biometric identifiers, such as fingerprints, voiceprints, retina scans or facial recognition technology, in violation of BIPA’s disclosure and consent requirements. All seek recovery of BIPA’s statutory liquidated damages of $1,000 for each negligent violation, or $5,000 for each intentional or reckless violation, injunctive relief, and recovery of attorneys’ fees and costs.
Until the past 18 months, when the first of these suits was filed, BIPA has been a little-known statute. Enacted in 2008, BIPA was passed to protect against risk of identity theft resulting from the growing use of biometric technology to facilitate financial transactions and security screenings. 740 ILCS 14/5.
BIPA applies to both biometric identifiers, such as fingerprints, voiceprints, retina scans, and facial geometry, and other biometric information based on those identifiers to the extent used to identify an individual. 740 ILCS 14/10. BIPA is an important measure because, unlike such things as Social Security numbers and passwords that can be changed if necessary, biometrics are biologically unique and, when compromised, leave an individual without recourse. 740 ILCS 14/5. Continue Reading The Rise of Biometric Lawsuits in Illinois
The EU’s General Data Protection Regulation (679/2016/EU), the GDPR, comes into force across the EU on 25 May 2018. As it is being made by regulation the GDPR, unlike the existing Data Protection Directive (implemented into the UK by the Data Protection Act 1998), will have direct effect throughout the EU. National governments will have some limited scope to tailor certain of its provisions to their jurisdiction. However, the GDPR will significantly harmonise the current national data protection laws across the EU.
Notwithstanding Brexit, the UK government has indicated its intention to implement the GDPR in full. The UK regulator’s (the Information Commissioner’s Office) powers and ability to work seamlessly with other national EU regulators will form a negotiation point in the coming Brexit deal. Continue Reading EU General Data Protection Regulation: A Summary for Non-EU Businesses
On July 10, 2017, the Consumer Financial Protection Bureau (the “CFPB”) finalized its proposed arbitration rule that will prohibit providers of certain consumer financial products and services from requiring a consumer to utilize mandatory pre-dispute arbitration in lieu of a consumer filing or participating in a class action (“Arbitration Rule”). In other words, no longer may covered entities require a consumer to use arbitration in lieu of class action participation. This Arbitration Rule will likely have far ranging consequences for covered providers, including mandatory updates to consumer agreements, likely increases to legal and compliance costs and increased operational risks in new consumer products.
Congress directed the CFPB to study pre-dispute arbitration agreements in the Dodd-Frank Wall Street Reform and Consumer Protection Act (“the Dodd-Frank Act”). The Dodd-Frank Act also authorized the CFPB, after completing the study, to issue regulations restricting or prohibiting the use of arbitration agreements if the CFPB found that such rules would be in the public interest and for the protection of consumers. In 2015, the CFPB published and delivered to Congress a study of arbitration. On May 24, 2016, the CFPB proposed the Arbitration Rule with a request for comment. Since May 2016 the CFPB has been silent, leading many in the financial services industry to believe that, with the change in administration, the CFPB had abandoned the Arbitration Rule. In finalizing the Arbitration Rule, the CFPB has answered the industry’s long outstanding question. Would the CFPB be more moderate in its approach in issuing regulation that drastically impacts financial services providers? The industry has its answer. The CFPB has answered in the negative. Continue Reading Another Day, Another Regulation: A Summary and Description of the CFPB’s Arbitration Rule