Photo of Kelley Chittenden

Kelley Chittenden

Subscribe to Kelley Chittenden's Posts

The European Union and the United States have now conducted the second annual review of Privacy Shield, a framework which regulates and facilitates the exchange of personal data across the Atlantic. The European Commission will publish its conclusions in a report at the end of this month.

The EU-U.S. Privacy Shield mechanism

EU organisations that want to transfer personal data to recipients outside the EU/EEA must assess whether the recipient country ensures an adequate level of data protection. Privacy Shield imposes stronger obligations on U.S. companies to protect the personal data of individuals in the EU and to monitor, enforce and cooperate with the European data protection authorities to ensure adequacy.

On a voluntary basis, U.S. organisations can self-certify to the U.S Department of Commerce, publicly stating that they will comply with Privacy Shield requirements. A list of the certified organisations can be found here. Nearly 4,000 companies have now made legally enforceable commitments to comply with the framework since Privacy Shield went into effect in 2016.Continue Reading EU and U.S. second annual review of Privacy Shield

On Thursday, September 27, the Federal Trade Commission (FTC) announced settlements with four companies, IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc., following allegations that the companies falsely claimed to be certified under the EU-U.S. Privacy Shield.

Specifically, the FTC alleged that IDmission, LLC misrepresented participation in the program by claiming certification on its website despite never completing the steps necessary to participate following the company’s October 2017 application. On the other hand, mResource LLC, SmartStart Employment Screening, Inc., and VenPath, Inc. each successfully obtained Privacy Shield certification in 2016 but failed to properly renew expired certifications. Therefore, the FTC alleged the three companies misrepresented that they were current participants in the program.

Further, the FTC alleged that SmartStart Employment Screening, Inc. and VenPath, Inc. additionally misrepresented that they adhere to the Privacy Shield Principles by failing to withdraw or affirm the commitment to protect personal information acquired during participation in the program. The Privacy Shield Principles require that if a company ceases to participate, the company must affirm to the U.S. Department of Commerce that it will continue to apply the Privacy Shield Principles to such personal information.Continue Reading FTC continues aggressive enforcement of Privacy Shield

As of today, Covered Entities are expected to be compliant with additional provisions under the New York State Department of Financial Services (NYDFS) cybersecurity regulation. A “Covered Entity” is any individual or non-governmental entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” 23 NYCRR 500.01. The cybersecurity regulation became effective March 1, 2017, and Covered Entities had 180 days to become compliant, unless otherwise specified.

A year later, on March 1, 2018, Covered Entities were expected to be in compliance with requirements related to annual reporting by the Chief Information Security Officer (CISO) on the cybersecurity program and material cybersecurity risks, continuous monitoring or periodic penetration testing and vulnerability assessments, periodic risk assessments, multi-factor or risk-based authentication, and regular cybersecurity awareness training for all personnel.
Continue Reading September 4, 2018: NYDFS Cybersecurity Regulation Compliance date arrives

This month, the Privacy Shield Program posted answers to Frequently Asked Questions. The Privacy Shield provides a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

The general guidance addresses topics such as the continued status of the Privacy

As previously reported, the Supreme Court on November 29 heard arguments in Carpenter v. United States, an important privacy case about the Fourth Amendment’s application to 127 days’ worth of a criminal suspect’s cell-site location information. While the Court has yet to decide the case, its decisions last week in Byrd v. United States and earlier this Term in District of Columbia v. Wesby (argued by one of this post’s authors) hint of trouble ahead for the government.

Byrd and Wesby: A practical rather than technical reading of the Fourth Amendment

While the facts were quite different in Byrd and Wesby, the decisions share a common theme. In both, the Supreme Court rejected analytical shortcuts that did not reflect the real world.

Byrd involved a police search of a rental car trunk yielding contraband, including forty-nine bricks of heroin. The lower courts accepted the government’s argument that the driver could not object to the search under the Fourth Amendment because “drivers who are not listed on rental agreements always lack an expectation of privacy in the automobile based on the rental company’s lack of authorization alone.” The Supreme Court decisively rejected this “per se rule.” It noted how there are “countless innocuous reasons why an unauthorized driver might get behind the wheel of a rental car and drive it” and how “car-rental agreements are filled with long lists of restrictions.” A breach of an agreement would not automatically mean the driver lacked even the reasonable expectation of privacy necessary to claim Fourth Amendment protection. (The same might be argued of email providers’ fine-print-laden Terms of Service, as the Electronic Frontier Foundation and Orin Kerr have noted.) But the Court also rejected the competing argument that the sole occupant of a rental car “always” has an expectation of privacy, and so it remanded for a ruling based on the precise facts rather than categorical rules.
Continue Reading Supreme Court drops hints about upcoming privacy decision in Carpenter

Illinois Attorney General Lisa Madigan is leading a coalition of 32 attorneys general (AGs’) in opposition to federal preemption in the area of data breaches, identity theft, and data security.

Specifically, the group wrote a bipartisan letter on March 19, 2018, to the U.S. House of Representatives Committee on Financial Services and the Subcommittee on Financial Institutions and Consumer Credit regarding the proposed Data Acquisition and Technology Accountability and Security Act, a draft bill introduced in the House last month. They are concerned that the bill, among other things, places consumer reporting agencies and financial institutions out of the reach of state enforcement. The AGs cite recent breaches as examples of the increasing threat and evolving nature of data security risks, and argue that the states have consistently proven themselves capable of rapidly and effectively responding to and protecting consumers at the state level through their own laws.

In particular, the letter points out three key shortcomings of the Act beyond the preemption of state laws: (1) it allows entities themselves to judge whether to notify consumers of a breach, which reduces the transparency afforded by state notification requirements; (2) it allows entities that decide to notify consumers to notify after the harm has already occurred, preventing the opportunity consumers currently have under state law to take proactive steps upon timely notification; and (3) it addresses breaches that affect 5,000 or more consumers, leaving attorneys general without the ability to redress the majority of breaches affecting consumers today that do not occur on a national scale.
Continue Reading State attorneys general advocate continuing state leadership in privacy enforcement, denounce federal preemption of state breach and security laws

On February 26, 2018, an en banc federal appeals court held that the common carrier exception in the Federal Trade Commission (FTC) Act that preempts FTC jurisdiction is “activity-based” rather than “status-based” and therefore applies only to the extent an entity engages in common-carrier services. See FTC v. AT&T Mobility LLC, No. 15-16585, D.C. No. 3:14-cv-04785EMC (Opinion) (9th Cir. Feb. 26, 2018). The decision affirmed the Northern District of California’s denial of AT&T Mobility LLC’s motion to dismiss.

In 2010, AT&T switched its mobile data plan offering from “unlimited” to “tiered” but allowed existing customers to retain their unlimited data plans. In 2011, AT&T reduced unlimited customers’ broadband data speed without regard to actual network congestion if they exceeded a preset limit. The FTC filed an action in October 2014 under section 5 of the FTC Act, alleging AT&T’s data-throttling plan was unfair and deceptive. AT&T moved to dismiss, arguing it was exempt due to common carrier status.

Section 5 exempts “common carriers subject to the Acts to regulate commerce.” 15 U.S.C. § 45(a)(1), (2). Although providing mobile data was not a “common carrier service” at the time the FTC filed suit, the Federal Communications Commission (FCC) reclassified mobile data as a common-carriage service in 2015 while AT&T’s motion to dismiss was pending. See In the Matter of Protecting and Promoting the Open Internet, 30 F.C.C. Rcd. 5601, 5734 n.792 (2015) (Reclassification Order). The FCC reversed the Reclassification Order in early 2018. See In the Matter of Restoring Internet Freedom, W.C. Dkt. No. 17-108, 2018 WL 305638, at *1 (Jan 4, 2018).Continue Reading Ninth Circuit calls common carrier exception “activity-based”

A Washington Legal Foundation legal opinion titled “The FTC’s Black-Box Determination of Information’s Sensitivity Imperils First Amendment and Due-Process Rights” and written by Gerry Stegmaier, Wendell Bartnick, and Kelley Chittenden illustrates the troubling fact that although businesses are tasked with implementing “reasonable” data security that hinges, in part, on the sensitivity of information, the Federal

The U.S. Court of Appeals for the Sixth Circuit recently ruled that a data breach defendant waived its attorney-client privilege for investigation-related communications with counsel after disclosing investigative findings in discovery request and relying on the findings to assert affirmative defense. The attorney-client privilege is a powerful tool, but it must be handled with care.

In a recently published “Staff Perspective,” the Federal Trade Commission (FTC) appears to be staying true to the regulatory humility approach Acting Chairman Maureen K. Ohlhausen underscored in her opening remarks to the connected cars and autonomous vehicles workshop the FTC co-hosted with the National Highway Traffic Safety Administration (NHTSA) last summer. The Consumer Protection Bureau of the FTC ultimately distills the privacy and data security workshop that covered a wide range of existing and future connected car technologies from infotainment systems such as GM’s new Marketplace feature to vehicle-to-vehicle and vehicle-to-infrastructure (such as traffic lights and cameras) communications capabilities to fully automated “driverless” vehicles down to the following takeaway: Connected vehicles will generate – and businesses will collect – a vast amount of aggregated, non-sensitive and sensitive data, which may lead to privacy risk due to unexpected uses and data security risk.
Continue Reading Warning light: The FTC is monitoring the connected car marketplace