International Updates (Excluding the EU)
India’s Draft Data Protection Bill: Another GDPR Around the Corner?
India recently introduced the Personal Data Protection Bill 2018. The transfer of personal data in India is currently governed by the SPD Rules (Sensitive Personal Data and Information, 2011), which is considered outdated and not fully protective of personal data. The bill comes as a result of the country’s Supreme Court’s recent judgment that declared privacy a fundamental right of an individual.
Brazil Transitions from Sectoral to Omnibus Privacy Regime
On August 14, Brazil adopted its new General Data Protection Law (LGPD) designed to replace and/or supplement its existing sectoral privacy framework. Brazil’s LGPD echoes many of the components of the GDPR and will likely serve as part of Brazil’s own push for a reciprocal adequacy finding from the European Commission similar to the one Japan received this past July. In addition to the LGPD, President Temer has stated that the government will establish a Brazilian national data protection authority with a separate bill.
Applying GDPR Experiences to the CCPA
Alston & Bird recently issued an advisory entitled “Applying GDPR Process Lessons to the CCPA,” authored by Jim Harvey and Karen Sanzaro. The recently and hastily adopted California Consumer Privacy Act of 2018 (CCPA) has already been compared to the General Data Protection Act (GDPR), though the two greatly differ in scope and content. However, there are valuable insights to glean from the GDPR adoption process that can give companies a head start on implementing the CCPA.
Landmark New Privacy Law in California to Challenge Businesses Nationwide
Following our June 4 and July 2 blog posts tracking California’s November 2018 ballot measure turned hastily enacted new California privacy law, the California Consumer Privacy Act of 2018 (CCPA), Alston & Bird’s Privacy & Data Security Group released a more detailed “first look” review of California’s sweeping new law. The advisory provides an overview of the new law, which establishes an array of privacy rights for state residents and worries for businesses nationwide, and concludes with key initial takeaways for business. Read the advisory here.
An Update on the California Consumer Privacy Act and Its Private Right of Action
While it remains to be seen what the final text of the CCPA will look like when it is ultimately implemented on January 1, 2020, at present it seems likely that businesses and employers can expect an influx of lawsuits from individual consumers proceeding under the CCPA’s private right of action. Under the current version of the CCPA, the Act provides a private right of action for consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
California Legislature Amends CCPA
On Friday, August 31, the California Senate and Assembly passed SB-1121, amending the CCPA as enacted in June. We previously issued an advisory following the June enactment and hosted a webinar discussing the law (as now amended) on September 12. This blog post highlights some of the key amendments to the CCPA.
Note: Governor Jerry Brown has since signed SB-1121 into law.
SEC Brings First Enforcement Action for Violation of the Identity Theft Red Flags Rule
On September 26, 2018, the SEC brought its first enforcement action for violations of Regulation S-ID (the “Identity Theft Red Flags Rule”), 17 C.F.R. § 248.201, in addition to violations of Regulation S-P, 17 C.F.R. 30(a) (the “Safeguards Rule”). Regulation S-ID and Regulation S-P apply to SEC-registered broker-dealers, investment companies, and investment advisers and require those entities to maintain written policies and procedures to detect, prevent, and mitigate identity theft and to safeguard customer records and information.
Ohio Enacts Cybersecurity Safe Harbor Law
Ohio recently enacted the Ohio Data Protection Act (2018 SB 220), a law that offers a breach litigation safe harbor to businesses meeting specific cybersecurity standards. While the law does not prevent a plaintiff from filing a lawsuit following a data breach, it does provide an affirmative defense to companies defending themselves against such claims.
South Carolina Enacts Insurance Data Security Act
South Carolina recently enacted a prescriptive data security law for insurers. The law bears a resemblance to the New York Department of Financial Services cybersecurity rules that entered into force last year. In short, the South Carolina law requires licensees to develop and implement a comprehensive written information security program and to notify the South Carolina Department of Insurance of certain cybersecurity events.
NYDFS Cybersecurity Requirements Compliance Deadline Nears for Key Provisions
September 4, 2018, marked the end of the transitional period for covered entities to comply with several key provisions of the NYDFS Cybersecurity Requirements that require certain systemic and sustained measures. These provisions include encryption and audit trail requirements as well as provisions relating to the implementation of monitoring policies, procedures, and controls; application security; and data-retention limitations.
CFPB Changes Annual Notice Requirement Under Reg. P
On August 10, the Consumer Financial Protection Bureau announced its “finalized amendments” to Regulation P, an implementing regulation of the federal financial Gramm–Leach–Bliley Act. Regulation P governs the provision of privacy notices for covered financial institutions. In response to legislation passed by Congress in late 2015, the final rule permits financial institutions to avoid providing annual privacy notices to customers in certain circumstances. In addition, in cases where the annual notice requirement remains, the final rule permits financial institutions additional flexibility in the mechanism chosen to deliver the notice to their customers.
LabMD: The End of the FTC in Cyber or Just a New Path?
The Eleventh Circuit issued its opinion in LabMD Inc. v. FTC, No. 16-16270 (11th Cir. June 6, 2018), declaring unenforceable a Federal Trade Commission order requiring LabMD to implement an extensive cybersecurity plan. The case is noteworthy for its lengthy procedural background—during which LabMD became defunct—and its holding, which has called into question the FTC’s authority to impose wide-ranging, comprehensive cybersecurity plans.
Supreme Court Recognizes Reasonable Expectation of Privacy for Historical Cell-Site Location Information
The Supreme Court held in Carpenter v. United States that an individual has a reasonable expectation of privacy in historical cell-site location information that provides a comprehensive view of the individual’s movement. A 5–4 decision, Carpenter marks a significant development for both the third-party doctrine and the privacy space more generally. Carpenter signals a change in the Court’s traditional view of the third-party doctrine.
Oregon and Arizona Amend Breach Notification Laws
Amended breach notification laws took effect in Oregon and Arizona. In both cases, the amended laws heighten existing requirements and reflect broader trends in the breach notification landscape at the state level, including by expanding the scope of personal information that triggers notification and requiring notification within a specified timeframe. In Oregon’s case, the amendments supplement already-existing data-security requirements for companies that handle the personal data of Oregon residents.
Vermont Data Broker Law Enacted
Under a Vermont law, data brokers that process information regarding Vermont residents will be subject to registration and security requirements beginning January 1, 2019. Included in the new law are three notable components: (1) a broad statutory definition of a “data broker”; (2) an annual registration requirement for data brokers; and (3) reporting on data broker security breaches.
Colorado Enacts Expanded Data Breach Notification Law
Consistent with recent expansions to state data breach notification laws, Colorado enacted an expanded data privacy law that strengthens the state’s existing breach notification law and that requires policies and procedures for the protection and destruction of personal identifying information.
In the News
September 21, 2018 – Kelley Barnaby and Kate Hanniford authored an article, “Your Data in the Hands of a ‘Fourth Party’: Cybersecurity Considerations in Discovery,” in Bloomberg Law.
September 14, 2018 – Larry Sommerfeld was quoted in Law360 on how lower courts are grappling with the U.S. Supreme Court’s landmark digital privacy ruling in Carpenter v. U.S. (subscription required)
September 11, 2018 – Peter Swire was quoted in Bloomberg Law on the importance of data access issues in the cloud computing era.
August 8, 2018 – Kim Peretti, Larry Sommerfeld, and Nameir Abbas authored an article, “Carpenter Ruling May Be Turning Point in Digital Data Privacy,” in Law360. (subscription required)
July 25, 2018 – Larry Sommerfeld was noted in the Daily Report for joining the firm’s Atlanta office as a privacy and cybersecurity partner.
July 23, 2018 – Kim Peretti was quoted in Law360 on the U.S. Supreme Court decision in Carpenter v. U.S. (subscription required)
July 12, 2018 – Cara Peterman was quoted in the Financial Times on the challenges facing companies in disclosing cyber attacks.
July 4, 2018 – David Keating was quoted in the National Law Journal on whether the California Consumer Privacy Act might give rise to federal data privacy protections. (subscription required)
July 2, 2018 – Peter Swire and Dan Felz authored an article, “A Canary in the Ad Tech Coal Mine? German DPAs Announce Opt-In Regime for Online Advertising,” in Bloomberg Law.
July 1, 2018 – David Keating was quoted by Yahoo! on the challenges facing companies under the California Consumer Privacy Act.
June 27, 2018 – Nameir Abbas was quoted in Legaltech News on a proposed Chicago ordinance to clamp down on the misuse and mishandling of residents’ personal data.