Photo of Kimberly Chow

Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with North Carolina Attorney General (AG) Josh Stein. Throughout his tenure as AG, Stein has shown a clear commitment to data privacy and security through his advocacy for strong

The Federal Trade Commission (FTC) will be holding a series of hearings this fall on “Competition and Consumer Protection in the 21st Century,” with the goal of reflecting on the agency’s powers, and state attorneys general (AGs) want to make sure their voices are heard.

A bipartisan group of 29 state AGs filed comments with the FTC on August 20, 2018, asking it to consider their unique viewpoints and expertise as state regulators who are “in the forefront of consumer protection.” The FTC hearings begin on September 13 with a schedule that includes a panel on “The Regulation of Consumer Data” featuring former acting chair Maureen Ohlhausen and former FTC staff members and academics. As the FTC opens its doors for a public discussion on how its enforcement priorities and policies affecting consumers might change, especially with a new slate of commissioners, the AGs want to be seen as partners. In particular, they want be part of the conversation on privacy and data security, as has been a strong trend in recent years.

“In our experiences, consumer privacy and data security is an afterthought in product and service development. Industry often does not adequately invest in privacy and security. Consumer data has inherent value and the free market alone does not adequately protect sensitive data. Consumers have voiced concerns to us about what personal information industry collects, how industry informs consumers about data collection, and how industry uses and shares consumers’ data. Industry must place privacy and security front and center in its research and development of products and services,” the comment stated.Continue Reading AGs emphasize consumer protection and privacy expertise in FTC comments

The European Union’s General Data Protection Regulation (GDPR) is underway, and companies and organizations around the world are analyzing its effects on how they collect, use, store and disclose data. U.S.-based sponsors of sweepstakes, contests, instant win games and other promotions opening entry to or targeting Europeans need to be mindful of the GDPR rules

Company response to major data breach results in first-of-its-kind fine for improper disclosure to investors

On April 24, 2018, U.S. Securities and Exchange Commission (SEC) and Altaba Inc., (formerly known as Yahoo! Inc.) agreed to settle SEC Division of Enforcement charges stemming from the compromise of 3 billion Yahoo accounts that occurred in 2013 and 2014, but were not disclosed until 2016.[1] The 2014 incident was attributed to Russian hackers by the U.S. government in March 2017.[2]

 The SEC’s administrative proceeding order pointed to Altaba’s delayed disclosure of the 2013–2014 security incident as well as the company’s public filing of multiple reports with the SEC, which commented on the risks and consequences of a breach in general, but did not notify investors that such a threat had already been realized in 2013 and 2014.[3] Unlike previous high-profile fines for improper incident response arising from failures to disclose to affected customers or subjects of breached data, the $35 million fine levied against Altaba is the first of its kind to focus on disclosure to investors of a public company that has suffered a breach, and should encourage companies to direct commensurate focus to their data breach response plans to meet responsibilities to shareholders.Continue Reading Being first isn’t always best: SEC settles for $35 million fine for failure to disclose data breach to investors

Arizona and its Attorney General’s office have emerged as key players in the effort to prioritize data security on the national stage. Since his inauguration in 2015, Arizona Attorney General Mark Brnovich has struck a balance between supporting innovation and protecting Arizonans’ privacy rights. With the support of Governor Doug Ducey, Arizona is taking active steps to broaden the scope of state privacy protection initiatives.

As the current Chair of the Conference of Western Attorneys General (CWAG), AG Brnovich will host CWAG’s 2018 Chair Initiative in Scottsdale, Arizona on May 3 and 4, focusing specifically on data privacy, cybersecurity, and digital piracy. The meeting will bring together AGs from around the country as well as thought leaders and key stakeholders in the private sector to tackle new horizons on issues such as breach notification, the European Union’s data protection regulations, national security, and FinTech. To read more about AG Brnovich’s 2018 Chair Initiative, and his take on how attorneys generals are tackling privacy and data security issues, check out Reed Smith Partner Divonne Smoyer and Associate Kimberly Chow’s recent Q&A with AG Brnovich on the website of the International Association of Privacy Professionals.Continue Reading Arizona emerges as privacy innovator as its AG and Governor lead the charge

Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with Indiana Attorney General Curtis Hill. AG Hill has prioritized rolling back federal overreach and safeguarding consumers from fraud and scams, along with continuing to take a hard

Illinois Attorney General Lisa Madigan is leading a coalition of 32 attorneys general (AGs’) in opposition to federal preemption in the area of data breaches, identity theft, and data security.

Specifically, the group wrote a bipartisan letter on March 19, 2018, to the U.S. House of Representatives Committee on Financial Services and the Subcommittee on Financial Institutions and Consumer Credit regarding the proposed Data Acquisition and Technology Accountability and Security Act, a draft bill introduced in the House last month. They are concerned that the bill, among other things, places consumer reporting agencies and financial institutions out of the reach of state enforcement. The AGs cite recent breaches as examples of the increasing threat and evolving nature of data security risks, and argue that the states have consistently proven themselves capable of rapidly and effectively responding to and protecting consumers at the state level through their own laws.

In particular, the letter points out three key shortcomings of the Act beyond the preemption of state laws: (1) it allows entities themselves to judge whether to notify consumers of a breach, which reduces the transparency afforded by state notification requirements; (2) it allows entities that decide to notify consumers to notify after the harm has already occurred, preventing the opportunity consumers currently have under state law to take proactive steps upon timely notification; and (3) it addresses breaches that affect 5,000 or more consumers, leaving attorneys general without the ability to redress the majority of breaches affecting consumers today that do not occur on a national scale.
Continue Reading State attorneys general advocate continuing state leadership in privacy enforcement, denounce federal preemption of state breach and security laws

Massachusetts Attorney General (AG) Maura Healey has announced that the state will offer an online portal where businesses can more easily report that they have experienced a data breach. Massachusetts will also offer consumers an electronic database to view reported breaches, similar to the online repositories operated by California, Maryland and other states. Affected companies

Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with Wisconsin Attorney General Brad Schimel. AG Schimel has prioritized cybercrime enforcement and prevention for the state. In the interview, he discusses his data privacy and security agenda as