Cybersecurity News & Notes – July 19, 2016

In Case You Missed It: Court certifies class in suit against Apple. On July 15, 2016, U.S. District Judge Jon S. Tigar certified a class of users of the mobile app Path, who allege that Apple facilitated the app’s access their contacts without their knowledge.  In the same decision, Judge Tigar denied certification to a proposed class of consumers who downloaded the app, but never had their contacts uploaded.  Apple and Path are just two defendants named in a consolidated suit relating to questions concerning whether Apple’s mobile operating system, iOS, unlawfully uploads and disseminates users’ personal information (e.g.,… More

Law360: Pokemon Go Developer Wades Into Privacy Minefield

This post originally appeared in Law360. Written by Allison Grande. Edited by Philip Shea and Brian Baresch

The rapid rise of the hit smartphone game “Pokemon Go” has opened the developer of the app up to heavy scrutiny from regulators and users, who may end up wielding a variety of privacy and consumer protection laws to address concerns over the type and quantity of data being collected.

Although it is barely a week old, the augmented-reality app has taken the smartphone world by storm, having been downloaded nearly 10 million times in the U.S., sending the stock of collaborator… More

At Long Last, US-EU Privacy Shield Adopted By EU Member States

Key takeaways:

The Privacy Shield will now go into effect. The preliminary start date for companies to be certified under the Privacy Shield is August 1, 2016. Expect more challenges to the Privacy Shield before all is said and done.

The Details:

Following the invalidation of the US-EU Safe Harbor by the European Court of Justice in the Schrems case, the European Commission negotiated with the US a new scheme called the Privacy Shield. The first draft was issued in February and submitted to the Article 29 Working Party, which gave its opinion on April 13, 2016. The EU… More

Pokémon Go Catches More Than It Bargained For

Pikachu figure characterThe recently-released Pokémon Go has quickly emerged as a cultural phenomenon, with legions of players using their phones to “catch” Pokémon that emerge all around them, visible (thankfully) only to players.  While catching Pokémon by phone is far less cumbersome than collecting boxes upon boxes of Pokémon cards, as some of us did in the early aughts, it does come with its own set of pitfalls.  Specifically, users have learned that Niantic, the… More

Cybersecurity News & Notes – July 11, 2016

In Case You Missed It:  The EU/US Privacy Shield is set to go into effect this Tuesday, July 13, pending a decision today by the EU’s College of Commissioners.  On Friday, July 8, the Privacy Shield agreement (entered into in February) was adopted by EU member states. EU/US data transfer has been in limbo ever since the erstwhile Safe Harbor was invalided by the European Court of Justice last year.  Stay tuned in this space for much more on the ins-and-outs of what the Privacy Shield says, and what it means for business.

News of Note:  In further evidence that… More

Cybersecurity News & Notes – July 5, 2016

In Case You Missed It: Ruling in FTC v. Amazon Suggests a Way Forward for Companies Responding to Actions Brought by the FTC after a Data Breach.  The FTC’s recent actions in the realm of data security have been predicated on its claim of statutory authority to seek injunctive relief for the failure to maintain reasonable and appropriate data security practices.  A U.S. District Court ruling last week casts some doubt on that authority.  Although the court concluded against Amazon on the facts at issue (involving in app purchases not data security), it also cast doubt on the FTC’s… More

Bad News for HIPAA Business Associates: HHS OCR Announces $650,000 Settlement for BA Breach

Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”), a HIPAA business associate, has agreed to pay the Department of Health and Human Services Office of Civil Rights (“OCR”) $650,000 in connection with a data breach involving the nursing homes to which it provides management and IT services.

The underlying breach occurred in February 2014 (which suggests a significant backlog at OCR in resolving open matters).  The breach itself was relatively insignificant compared to those we often see today involving millions of records:  this was the theft of an unsecured iPhone with health information of 412 nursing home patients.

The… More

Cybersecurity News and Notes: June 27, 2016

In Case You Missed It

The FTC settled with mobile advertising company InMobi for $950,000 in civil penalties, along with the implementation of a privacy program, based on the FTC’s charges that InMobi impermissibly tracked the locations of both adult and child consumers for the purpose of geo-targeted advertising.  The latter, of course, also implicated allegations of violations of the Children’s Online Privacy Protection Act (COPPA) rule.  The FTC alleged in particular that, when installing an application to which InMobi’s advertising was attached, even if a user declined to share location information with the application, InMobi’s software would… More

DHS Issues New Rules Governing Sharing of Cyberthreat Data

Last week, the Department of Homeland Security (“DHS”) released its Final Rules for private-sector information-sharing under the Cybersecurity Information Sharing Act of 2015 (“CISA”). CISA permits private companies to share cyber threat information with the U.S. government and shields those companies from liability for doing so.  The new CISA Rules outline exactly how this information-sharing will work, namely: how information is submitted; what information gets submitted; and what happens to the information after submission.

HOW IS INFORMATION SUBMITTED?

The preferred method for submitting cyber-threat data to DHS is through “TAXII”, short for “Trusted Automated Exchange of Indicator Information.”   TAXII… More

New Data Protection Obligations In Europe: Data Protection Officers and Impact Assessment under the New General Data Protection Regulation (GDPR)

The full text of the General Data Protection Regulation (GDPR) was published on 4 May 2016. Although the GDPR will not be effective until 25 May 2018, it is worth looking into it right now given the major changes it makes to the rules in the 1995 Directive.

Application of the GDPR

The GDPR applies to the processing of personal data by companies having an “establishment” in the European Union, regardless of whether the processing takes place in the EU or not. It also applies to companies not established in the EU, where the processing activities are related… More