The European Court of Justice Invalidates Safe Harbor

The European Court of Justice has just issued a decision (ECJ 6 October 2015 Case C-362/14, Maximillian Schrems v. Data Protection Commissioner) that invalidates the so-called US-EU “Safe Harbor” system. Suddenly, what 3,500 U.S. Companies (including some of the largest companies in the world) have been doing with personal data now potentially becomes illegal.

What is the background to this decision?

In 1995, the European Union adopted a Directive 95/46/EC aimed at providing a high level of protection of personal data throughout the European Union…. More

EU Safe Harbor Decision…. Initial Reactions

By now, you have no doubt heard that the European Union’s highest court today invalidated the U.S.-EU Safe Harbor Program.  The European Court of Justice overturned the European Commission’s 15 year old decision finding that the privacy principles of the U.S.-EU Safe Harbor provide an adequate level of protection of the data of EU citizens. Among other things, the court cited concerns that the data may be subject to U.S. government surveillance.

This ruling is very unsettling, as our initial reading is that this decision gives the EU member nations the power to act against companies even if they… More

What is reasonable? The emerging legalities of cybersecurity post-Wyndham

This month’s edition of the Advanced Cyber Security Center’s newletter includes my discussion of lessons to be learned from the Wyndham decision:

Historically, security was an issue reserved in a back room for the IT department, if there were even a budget and ample resources. To the public, cybersecurity meant identity theft and proceeded with business as usual with the comfort of an anti-virus protection that may have come with their computer.

On the other hand, large enterprises, especially those that dealt with classified information, intellectual property, and customer… More

Google and the Right to be Forgotten: The French Data Protection Authority Takes the Matter Further

On June 12, 2015 the French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés – CNIL) issued a notice ordering Google to draw all the consequences of the CJEU May 13, 2014 ruling and to apply delisting not only to the national domain of the individual who requests delisting but on all of the search engine’s domains, including (see our article The Right to be Forgotten: Another Scuffle between Google and The French Data Protection Authority | Security, Privacy and the Law).

Google filed an informal appeal… More

New Credit Card Security Doesn’t Go Far Enough

By Martha Coakley and Jon Hurst

This entry originally ran as an op-ed in the September 25, 2015 edition of The Boston Globe.

Hardly a week goes by without a news report of a new cyberattack. As any consumer affected by fraud knows, the harm is real. The  impact on businesses, government, and other targets is also real, and includes monetary harm and reputational damage that can devastate those so reliant on the trust of their customers.

Retailers recognize that their commitment to protect information must evolve and… More

The SEC Charges Investment Adviser with Violating Regulation S-P by Failing to Adopt Cybersecurity Policies and Procedures

In recent years, the SEC has been focused on cybersecurity. It has issued risk alerts, conducted examinations and provided guidance about what the agency sees as widespread weaknesses in many policies and procedures to protect against cyberthreats. The SEC has now taken the next step: a few days ago, the SEC brought its first-ever enforcement action for a violation of Regulation S-P, 17 C.F.R. § 248.30(a) – known as the “Safeguards Rule” – against an investment adviser that was itself the victim of a security breach in which hackers stole customer information. See In re Matter of R.T. Jones Capital… More

SEC Issues Risk Alert Announcing Second Round of Examinations of Registered Investment Advisers and Broker-Dealers

From our colleagues Catherine Anderson and Lauren Tran, we present this update on OCIE’s 2015 Cybersecurity Examination Initiative:  Second Round of Cybersecurity Examinations to Begin

*   *   *

On September 15, 2015, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a Risk Alert announcing a second round of examinations of registered investment advisers and broker-dealers under its cybersecurity examination initiative. The Risk Alert’s purpose is to provide additional information on the areas of focus for the OCIE’s examinations, which will involve more testing to assess implementation… More

COPPA, Meet DOPPA – Delaware AG Action Leads to New Child-Protection Data Privacy Laws

Delaware Attorney General Matt Denn is serious about online privacy, and aims to make Delaware “the safest state in America for kids to use the internet.” This August, Delaware Governor Jack Markell signed into law four online privacy bills drafted by the Attorney General, the most substantial of which is the Delaware Online Privacy and Protection Act.

DOPPA goes further than its federal cousin, the Children’s Online Privacy Protection Act and resulting COPPA Rule, in a number of areas. As we have blogged about More

Third Circuit Not Hospitable to Wyndham, Upholds FTC’s Broad Powers to Regulate Cybersecurity

Over one year ago, our colleague Chris Hart argued that the District of New Jersey court’s decision in FTC v. Wyndham Worldwide Corp. et. al., No. 13-1887-ES, “point[ed] to the possibility that the FTC has potentially broad power, and a far reach, to bring actions for data breaches as a general matter.” That possibility became substantially more concrete this week, when the Third Circuit affirmed Judge Esther Salas’ refusal to dismiss the Federal Trade Commission’s lawsuit against Wyndham that alleged unfair and deceptive trade practices under 15… More

The FTC, COPPA, and Riyo’s “Face Match to Verified Photo Identification”

Webcamera on laptop staring at you(clipping path)The FTC’s COPPA (the Children’s Online Privacy Protection Act) Rule requires website operators to obtain “verifiable parental consent” prior to collecting, using, or disclosing personal information from children. Though the COPPA Rule enumerates several methods for obtaining consent, the FTC, sensitive to how fluid technological developments in this space can be, also allows pre-approval of new methods not listed in the Rule. 16 CFR 312.12(a). (As I previously blogged, the Rule also allows for broader safe harbors consisting of comprehensive “self-regulatory guidelines,”… More