While the GDUnited Nations newsPR compliance clock is ticking for companies, EU Member States have also been preparing for the implementation of the General Data Protection Regulation (“GDPR”) which will become enforceable on May 25, 2018.

The GDPR will be directly applicable in all EU Member States without the need for implementing national laws. However, apart from the need to establish the supervisory authority, the GDPR provides Member States with the possibility to introduce more specific rules in a number of. This includes the areas of employment, sensitive personal data such as health data and in relation to the role of data protection officers.

Below is a survey of the GDPR guidance by Data Protection Authorities (DPAs) in several key Member States. Continue Reading Survey of the National GDPR Implementation Laws of Key Member States

Dark patterns are top of mind for regulators on both sides of the Atlantic. In the United States, federal and state regulators are targeting dark patterns as part of both their privacy and traditional consumer protection remits. Meanwhile, the European Data Protection Board (EDPB) is conducting a consultation on proposed Guidelines (Guidelines) for assessing and avoiding dark pattern practices that violate the EU General Data Protection Directive (GDPR) in the context of social media platforms. In practice, the Guidelines are likely to have broader application to other types of digital platforms as well. Continue Reading “Dark Patterns” Are Focus of Regulatory Scrutiny in the United States and Europe

Indiana passed HB 1351 in March 2022, amending Indiana’s data breach notification law. Indiana’s breach notification law, as currently drafted, requires entities to notify Indiana residents and the Indiana Attorney General of a breach of the security of data without unreasonable delay and consistent with any measures necessary to determine the scope of the breach and restore the integrity of the system; or if notification will no longer impede a criminal or civil investigation or jeopardize national security. HB 1351 narrows the timeline for required data breach notifications, requiring entities to make required notifications without unreasonable delay, but no more than forty-five (45) days after the discovery of the breach. The amendment will be effective starting July 1, 2022. 

All fifty states and American territories have enacted different data breach notification statutes, which require organizations to notify individuals when certain Personally Identifiable Information (“PII”) has been “breached” by an unauthorized individual (i.e., a threat actor). Generally, American states and territories define a “breach” under four scenarios: 

  • Unauthorized Access to PII;
  • Unauthorized Acquisition of PII;
  • Unauthorized Access or acquisition of PII; or 
  • Unauthorized Access and acquisition of PII.  

Acquisition, otherwise described as exfiltration, is defined or understood as data that the attacker has downloaded or otherwise copied. 

Access is defined as any data the attacker reviewed, regardless of whether the data was exfiltrated. The definition of PII varies greatly by jurisdiction but generally includes an individual’s first and last name and/or first initial and last name and one or more categories of sensitive information (e.g., government issued identification numbers, financial information, or medical information). 

Similarly, the timeline in which organizations have to notify individuals varies greatly by jurisdiction. For example, in Maine, an organization must submit breach notifications to impacted individuals no more than 30 days after becoming aware of the breach and identifying its scope. Meanwhile, Connecticut requires organizations to notify impacted individuals no later than 90 days after discovery of such breach.  

While Indiana’s change in the timeline for notification to no later than 45 days aligns Indiana with the general timeline of all fifty states and American territories, it also reflects the priorities of the Indiana Attorney Generals’ Office – to timely notify affected individuals. To ensure that your organization is prepared to timely respond and meet its notification obligations, as a preliminary matter, it is best to ensure that you have a detailed Incident Response Plan and that your organization has taken the time to conduct Tabletop exercises to practice the implementation and test the effectiveness of your plan.   

Clients regularly turn to Kyle Dull for his knowledge and know-how in defending and resolving federal and state regulatory and enforcement actions. Informed by his prior position as an assistant attorney general in the Florida Attorney General’s Consumer Protection Division, Kyle has extensive experience in investigating and litigating privacy and advertising law violations. During his time in the Attorney General’s office, Kyle focused on singular and multistate enforcement actions involving advertising, marketing, price gouging, consumer finance, privacy and cybersecurity. He now draws on that experience to share insights with and advise clients on their own data privacy, cybersecurity and advertising risks.

The editorial advisory board provides feedback on Law360’s coverage and expert insight on how best to shape future coverage.

Read more here.

As CPW previously covered, the Fifth Circuit Court of Appeals, in a published decision, affirmed dismissal of Plaintiffs’ Complaint in Allen v. Vertafore, 21-20404, Fifth Circuit Court of Appeals, March 11, 2022. In its Opinion, the Fifth Circuit agreed with the district court that Plaintiffs failed to plead a cognizable claim under the federal Driver’s Privacy Protection Act (“DPPA”), 18 USC § 2721, et seq, refusing to revive a putative class action where Plaintiffs demanded USD $69.9 billion in liquidated damages.

Allen concerned a data event Vertafore publicly disclosed in November 2020, which involved the unsecured online storage of Texas drivers’ license data for over 27.7 million individuals. The first three cases were filed in the District of Colorado, Northern District of Texas, and Southern District of Texas, each seeking to represent 27.7 million class members and seeking more than USD $69 billion in statutory liquidated damages under the DPPA in addition to damages on negligence claims, injunctive relief, and potential punitive damages.

Consistent with Fifth Circuit precedent, to state a claim for a violation of the DPPA, the complaint must adequately allege that (1) the defendant knowingly obtained, disclosed, or used personal information; (2) from a motor vehicle record; and (3) for a purpose not permitted. On this basis, the first-filed Allen complaint was dismissed as the district court held Plaintiffs failed to adequately allege that Vertafore knowingly disclosed personal information for a purpose not permitted by the DPPA.

Plaintiffs then filed an appeal to the Fifth Circuit. The Fifth Circuit, however, affirmed the district court’s dismissal.

In the wake of this impressive win for Vertafore and the SPB Team, Bloomberg Law reached out to CPW’s Rafael Langer-Osuna and Kristin Bryan to get their insight on the impact this ruling will have on DPPA litigation going forward for a recently published article.

Kristin Bryan was quoted in the article as saying, “[t]he Driver’s Privacy Protection Act, enacted in 1994, prohibits the disclosure of personal information without consent, with some exceptions. It was passed to safeguard people’s privacy and safety and to regulate the disclosure of personal information by state Departments of Motor Vehicles—not to penalize companies in the wake of a data event, as is the case here. To successfully bring claims under the statute, plaintiffs must allege a knowing disclosure. The Fifth Circuit rightly recognized that a purported mismanagement of information—such as storing driver’s license data on unprotected servers—doesn’t clear that bar.”

In the article, Rafael Langer-Osuna notably states that “[t]he law has been attractive to plaintiffs because of the potential for high fees. It provides for liquidated damages of at least [USD]$2,500 per violation. Plaintiffs have been making this reach for a long time. Now they’ll be forced to rely on statutes that actually relate to the data breach context.”

For the full scoop, click here to see the news article by Bloomberg Law.

We again want to congratulate the SPB Vertafore team for successfully defeating this high-stakes data privacy case and subsequently paving the way for future DPPA litigation to come. 

On 25 March the US and EU announced “agreement in principle” on a new legal framework for GDPR-compliant transfers of EU personal data to the United States. The agreement reflects US commitment to implementing new safeguards designed to address concerns that led to the July 2020 Schrems II decision of the European Court of Justice (ECJ), striking down the EU adequacy decision underpinning Privacy Shield. While the announcement has been widely welcomed, it remains an “agreement in principle”, with details and timing yet to be confirmed. Along with expressions of welcome and relief, initial reactions also included a strong indication that the new arrangements are likely to be challenged by privacy campaigners including Max Schrems and NOYB, describing “Privacy Shield 2.0” as “lipstick on a pig”.

What is likely to change in the new agreement?

The success or failure of the new agreement will depend on the extent to which it overcomes the flaws identified by the ECJ in Schrems II. The ECJ ruled against the EU Commission’s adequacy decision in favour of Privacy Shield, finding that data subjects were inadequately protected against electronic surveillance or “signals intelligence” activities carried out under US Federal authority, and that data subjects impacted by such activities had no viable route to redress.

A White House briefing room fact sheet issued on 25 March set out the headline terms of the agreement, including key measures designed to “ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities”. Specifically:

  • Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
  • EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
  • S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.

Privacy Shield 2.0?

It is important to remember that Schrems II did not strike down Privacy Shield, which has continued to operate since July 2020. Rather, the European Court of Justice ruling struck down the EU Commission’s adequacy decision in favour of Privacy Shield. Consequently, a key objective of the new Trans-Atlantic Data Privacy Framework is not to replace Privacy Shield, but to revive and enhance it with new mechanisms to address the flaws identified in Schrems II.

Participating companies and organizations that take advantage of the Framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce.

The language of the White House fact sheet suggests some areas likely to attract close scrutiny once the full details are available:

  • What degree of impact on individual data subjects will be considered acceptable, and in what circumstances? The US government is not promising to refrain from the use of signals intelligence and electronic surveillance. It is promising only that intelligence activity will be limited to “legitimate national security interests” and that the impact on individuals will not be “disproportionate”.
  • How far the composition of the proposed Data Protection Review Court will ensure that it is truly independent of the Federal government?

What happens next?

It is unlikely that the US administration or the EU Commission would have used a high profile event such as the President’s visit to Poland as the occasion to announce “agreement in principle” unless they shared a high degree of confidence that the new Framework will come into force. From the US side the new Framework requires an Executive Order, and is therefore within the authority of the President. From the EU side, the Commission must follow the procedures and consultation requirements under GDPR Article 45. That process requires:

  • A proposal from the European Commission
  • An opinion of the European Data Protection Board
  • An approval from representatives of EU member states
  • Adoption of the decision by the European Commission.

Inevitably, that process takes several months, and provides ample opportunity for challenge and debate. In the meantime, transfers of EU personal data to the US require specific transfer risk assessment, and consideration of a full set of safeguards to include legal measures (e.g., use of Standard Contract Clauses), technical measures (e.g., encryption before transfer) and organisational measures (e.g., employee policies).

The UK position

It is also essential to bear in mind that EU GDPR and UK GDPR are now separate bodies of law. While it is likely that the UK would recognise and adopt the new Framework, Brexit created the possibility of divergence should the UK government decide to adopt different or more relaxed rules or criteria from those applicable in the EU. Consequently, as well as monitoring the EU adequacy decision process, it will also be necessary to keep an eye on UK government responses. Subscribe here to follow those developments through Consumer Privacy World.

Our global Data Privacy, Cybersecurity and Digital Assets team is perfectly placed to assist organisations in navigating through this area. For assistance, please reach out to the authors.

Background

President Biden has recently delivered on a long stated priority of his presidency: requiring the disclosure of cyber security incidents for companies that operate critical infrastructure. After announcing an executive order in May 2021 aimed at modernizing the federal government’s cybersecurity practices, the same sweeping changes will now effect private companies that operate critical infrastructure. At the time of the executive order, some noted that the recent string of high profile ransomware attacks was leading to a bipartisan effort to require disclosures of such incidents by those effected in the private sector. Indeed, Congress has acted quickly in codifying disclosure requirements for those that operate critical infrastructure.

Incorporated into the Consolidated Appropriations Act of 2022, the Cyber Incident Reporting for Critical Infrastructure Act (the “Act”) will require that covered entities that reasonably believe that they have experienced a “covered cyber incident” file a report with the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours. Further, in the event that a covered entity makes a ransomware payment as a result of a ransomware attack, they must report the payment to CISA within 24 hours. Supplemental reports to CISA are also required in the event that the covered entity becomes aware of substantial new or different information.

Who is Covered

As previously noted, the Act will require covered entities to alert CISA when they suspect that they have been the victim of a covered cyber incident. The Act defines a covered entity as “an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21.” Presidential Policy Directive 2021(the “Directive”) refers to a directive from 2013 pertaining to the security and resilience of critical infrastructure. The Directive defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This broad definition can effect large swaths of the private sector from energy production to banking.

Further, the Act requires the disclosure of covered cyber incidents which is defined as “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule issued pursuant to section 2242(b)”. While the Act punts to the Director of CISA to determine what types of incidents will require notification, it provides some general guidance. At a minimum, the guidance provided by the final rule will require the disclosure of a cyber incident that:

  1. leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;
  2. disrupts the business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against (1) an information system or network; or (2) an operational technology system or process; or
  3. results in the unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.

Following the enactment of the Act, the Director of CISA will issue a notice of proposed rulemaking within 24 months. A final rule will then be adopted within 18 months following the notice of proposed rulemaking. Ultimately, these rules will outline in greater detail both what qualifies as a covered entity and a covered cyber incident.

Complying with the Act

The main purpose of the Act is to collect data on cyber security incidents. To that end, the only major change from the present status quo as a result of this Act is that reports regarding incidents and ransomware payments must be made to CISA. In the event that the Director suspects that a covered entity has been the victim of a cyber security incident, she may request that a report be filed by that entity within 72 hours. Similarly, in the event that the Director becomes aware that a ransomware payment has been made by a covered entity without filing a report, she may request one be filed within 24 hours. Failure to respond to the Director’s s requests for either report could result in referrals to the Attorney General for civil penalties.

However, because the Act is merely a means to track and document cyber security incidents, the responses by the covered entities can largely remain the same. Thus, while the Act requires disclosures, it permits covered entities to engage in investigations with third parties. This includes engaging with a third party to conduct ransomware negotiations.

Conclusion

This shift in legal requirements for critical infrastructure represents a concerted effort by numerous actors in government to provide systems that can be used to track cyber security incidents. While this does not affect all private sector entities, all businesses should be aware of this trend. What started as an executive order less than a year ago has evolved into mandatory reporting for companies that engage in critical infrastructure. Since threat actors do not limit their attacks solely to critical infrastructure, it is entirely plausible that future legislation could be enacted to touch other areas in the private sector.

Because of this, all business, both those involved in critical infrastructure and not, should take note of these trends. Ensuring that data is properly protected and that proper IT controls are established, such as double factor authentication, can significantly reduce the possibility of cyber security incidents occurring. Further, establishing strong response plans that are regularly reviewed and updated can help prevent the fallout associated with such incidents. A full list of recommended courses of action was previously explored in this article.

The authors would like to thank Matt Wagner, an associate in the firm, for his contribution to this post.

 

As reported in Law360, last week the Fifth Circuit Court of Appeals in a published decision affirmed dismissal of Plaintiffs’ Complaint in Allen v. Vertafore, 21-20404, Fifth Circuit Court of Appeals, March 11, 2022.  In its Opinion, the Fifth Circuit agreed with the district court that Plaintiffs failed to plead a cognizable claim under the federal Driver’s Privacy Protection Act (“DPPA”), 18 USC § 2721, et seq, refusing to revive a putative class action where Plaintiffs demanded $69.9 billion USD in liquidated damages.

CPW is proud to highlight Squire Patton Boggs (US) LLP’s representation of defendant Vertafore in this high-stakes data privacy case, including in particular the leadership of SPB Senior Partner Damond Mace and Partners (and regular CPW contributors) Kristin Bryan and Rafael Langer-Osuna.

Allen concerned a data event Vertafore publicly disclosed in November 2020, which involved the unsecured online storage of Texas drivers’ license data for over 27.7 million individuals.  The first three cases were filed in the District of Colorado, Northern District of Texas and Southern District of Texas, each seeking to represent 27.7 million class members and seeking more than US$69 billion in statutory liquidated damages under the DPPA in addition to damages on negligence claims, injunctive relief, and potential punitive damages.

Consistent with Fifth Circuit precedent, to state a claim for a violation of the DPPA, the complaint must adequately allege that (1) the defendant knowingly obtained, disclosed or used personal information; (2) from a motor vehicle record; and (3) for a purpose not permitted.  On this basis, the first-filed Allen complaint was dismissed as the district court held Plaintiffs failed to adequately allege that Vertafore knowingly disclosed personal information for a purpose not permitted by the DPPA.

Plaintiffs then filed an appeal to the Fifth Circuit.   The Fifth Circuit, however, affirmed the district court’s dismissal.

In its ruling, the Fifth Circuit commented that “[t]he [DPPA] ‘regulates the disclosure of personal information contained in the records of state motor vehicle departments.’”  (quotation omitted).  The statute “was enacted in 1994 to respond to at least two concerns: ‘The first was a growing threat from stalkers and criminals who could acquire personal information from state DMVs.  The second concern related to the States’ common practice of selling personal information to businesses engaged in direct marketing and solicitation.’”  To put it otherwise, the DPPA predated modern developments concerning data events and cyberattacks—notwithstanding its frequent use by plaintiffs in data breach-type litigations.

The Fifth Circuit affirmed dismissal of the Complaint for Plaintiffs’ failure to allege a “disclosure” of their information as required to state a cognizable DPPA claim.  As the Court reasoned:

[T]he only facts alleged in Plaintiffs’ complaint are that Vertafore stored personal information on “unsecured external servers” and that unauthorized users accessed that information.  Without more, these facts do not plausibly state a “disclosure” consistent with the plain meaning of that word.  Nothing about the words “unsecured” or “external” implies exposure to public view, and the mere fact that unauthorized users managed to access the information does not imply that Vertafore granted or facilitated that access.  After all, we would hardly say that personal information was “disclosed” if it was kept in hard copy and the papers were stolen out of an unlocked, but private, storage facility.

Though at this stage of the proceedings we draw all reasonable inferences in Plaintiffs’ favor, the inference Plaintiffs ask us to draw—from “stored on unsecured external servers” to “disclosed”—is not reasonable. Because Plaintiffs have not alleged a disclosure within the meaning of the DPPA, their complaint fails to state a plausible claim for relief.

(citations omitted).  Additionally, the Fifth Circuit also noted in a footnote that “Plaintiffs cite no case in which insufficiently secure data storage constituted a ‘disclosure’ within the meaning of the DPPA.”

Moving forward, the Fifth Circuit’s ruling will have a significant impact on cases brought under the DPPA and similar statutes.  Simply put, such statutes, with their large statutory damages provisions, are not meant to support claims for data breaches.  The Court’s definition of “disclosure”—that it requires that the defendant take action to expose the data to the public—will materially undermine future data breach-based DPPA claims.  This is a significant win for defendants as the DPPA claims carry a minimum of $2,500 in statutory liquidated damages per plaintiff and therefore have become attractive claims for plaintiffs’ attorneys bringing putative class actions in data privacy litigations.

The SPB Vertafore team consists of partners Damond Mace, Rafael Langer-Osuna, Kristin Bryan, and Brent Owen, of-counsel Bobby Hawkins, principal Amanda Dodds Price, and associate Marissa Black.

As CPW has previously covered, Utah is one of several states considering enacting a comprehensive privacy bill this year.  CPW’s Kristin Bryan and Kyle Fath were recently interviewed by Bloomberg Law concerning this development.  The full article is available here.

Kyle commented that “[d]espite the bill’s similarity to the Virginia law and its number of exemptions, it still complicates the national compliance picture.  Businesses may apply more stringent standards from jurisdictions like California to consumers in other states, such as Utah, because it can be complicated and costly to comply in a piecemeal manner.”

As Kristin explained, the failure of the federal government to enact comprehensive privacy legislation means that “many states are taking privacy regulations into their own hands,” and “[t]he inclusion of a private right of action for bills is a ‘worst case scenario’ for businesses that would be regulated under such laws.”  In this instance, she commented, “[i]t does appear [the Utah legislature is] trying to strike the right balance between providing privacy protections while also limiting the exposure to businesses, as seen by lack of private right of action.”

For more on this, stay tuned.  CPW will be there to keep you in the loop.