After nine months of intense negotiations and uncertainty, and despite ongoing criticisms from powerful data protection regulators, the new EU-U.S. Privacy Shield program went into effect this week as the U.S. Department of Commerce began accepting applications online. Some companies that are self-certifying their compliance have already submitted their documentation and many more are expected to do so in the coming days and weeks as they seek shelter under the replacement for the long-standing EU-U.S. Safe Harbor arrangement that was invalidated by the European Court of Justice last year.

Companies can now “sign up” for the Privacy Shield list, but they should not expect a rubber stamp from the Commerce Department just because they have self-certified. To ensure that their applications are approved, companies should take the following steps:

  • Confirm that they are eligible to participate—not all organizations are. Only companies subject to the jurisdiction of the FTC or the DOT may participate at this time
  • Develop a Privacy Shield-compliant privacy policy statement
  • Identify their independent recourse mechanism—under the new framework, self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual
  • Ensure that they have compliance verification mechanisms in place
  • Designate contacts within their organizations to serve as liaisons regarding the Privacy Shield
  • Review the information required to self-certify
  • Go online to www.privacyshield.gov to self-certify


Continue Reading Time to Raise Your Shield: The New EU-U.S. Framework Is Here

As published in State Bar of Michigan Health Care Law Section

“In recent years, the likelihood of suffering a data breach has risen significantly for American companies across numerous industries. Health care providers, in particular, have been targeted due to the value of the sensitive information they hold regarding their patients and employees, including birth

Last week, the European Commission unveiled the latest documentation related to the EU-U.S. Privacy Shield intended to restore trust in transatlantic data transfer and establish a mechanism for U.S. companies to once again transfer data from the EU with confidence. We wrote last month about the initial announcement of the Privacy Shield but expressed caution

On July 20, 2015, the Seventh Circuit reinstated a data breach class action in Remijas v. Neiman Marcus Group, LLC, No. 14-3122, after a 2013 malware attack on Neiman Marcus’s computer systems that resulted in the theft of customers’ credit and debit card information. The plaintiffs argued that they had constitutional standing to pursue their claims against the retailer based on an alleged increased risk of future fraudulent charges and greater susceptibility to identity theft. This decision is troubling and could have a potentially significant and wide-ranging impact on pending and future class actions brought in the wake of similar data breaches. In fact, plaintiffs’ lawyers already are citing the decision in other data breach class actions facing Rule 12 standing challenges. See, e.g., In re Barnes & Noble Pin Pad Litigation, No. 12-08617, U.S. Northern District of Illinois.
Continue Reading Seventh Circuit Resurrects Data Breach Class Action and Stymies Standing Challenge

A familiar refrain of some corporate clients discussing data breaches is: “We’re not a health care company. We also don’t process customer credit card transactions. We really don’t collect protected health information or personally identifiable information from customers in any way. Do we need to be worried about data breaches?” A June 15, 2015 decision from the U.S. Central District of California reaffirms that the answer is a resounding, unqualified YES for any company that has employees, which means almost any company of any kind, regardless of whether it provides health-care-related services or processes customer credit card transactions.
Continue Reading Data Breach Case Survives Rule 12 – Sony Employee Negligence Claims Still Kicking

As we reach the midpoint of 2015, it is a good time to check in on the progress of the Data Breach and Security Notification Act of 2015 that is making its way through Congress. Most privacy experts and data breach practitioners agree that a single nationwide data breach notification statute would be superior to the current state-by-state regime—it would certainly make data breach response much easier and more cost-effective—but there is considerable debate about what that statute should say. 
Continue Reading Checking In On the Federal Data Breach Notification Law

The National Labor Relations Board (NLRB) may be yet another new sheriff in town (in addition to all the other sheriffs such as the FTC, FCC, SEC, OCR, OIG, state AGs, etc.), poised to box the ears of data breach “scofflaws” with expensive, time-consuming, conflicting and perhaps impossible-to-comply-with requirements related to computer security incidents.
Continue Reading NLRB Steps into the Data Breach

PCI DSS. If your company deals with credit cards and you don’t know what those letters stand for, you should. While the public relations nightmares, response costs and expensive class action defense fees associated with major data breaches garner most of the headlines in the mainstream media, many companies that are victims of data breaches also face significant compliance costs, penalties and fines as a result of contractual relationships with credit card companies, credit card processors and banks. These all stem from a company’s failure to comply with PCI DSS.

So what is PCI DSS? It’s the Payment Card Industry Data Security Standard, which is the proprietary information security standard for organizations that handle branded credit cards from the major card brands, including Visa, MasterCard, American Express and Discover. PCI DSS compliance is an ongoing process and is far too complicated to discuss in detail here. For an overview of PCI DSS and the complete requirements, you can go here. But for our purposes, we will just focus on the risks of not complying.
Continue Reading PCI DSS Compliance: A Difficult Task Worth Doing