In the latest of a recent string of judicial rebukes, the Supreme Court’s unanimous decision in Axon Enterprise, Inc. v. FTC offers the targets of Federal Trade Commission (“FTC”) and other agencies’ administrative proceedings a path to quicker judicial relief. Historically, courts have been reluctant to permit immediate challenges to investigations and adjudications without forcing the targets to wait for the resolution of all agency proceedings. While aptly referred to as the doctrine of “exhaustion,” the result, as Justice Gorsuch observed, is that “agencies sometimes use this as leverage to extract settlement terms they could not lawfully obtain any other way.” The Court’s decision in Axon not only deprives the FTC of a potential source of leverage, but it also increases the likelihood that companies faced with investigations may turn to the courts for relief at an earlier stage. The decision comes at a time when the FTC’s powers and attempts to exercise those powers have been called into question by the bar, members of Congress, and by courts.Continue Reading Unanimous Supreme Court limits FTC and other agencies’ investigative power
Maryland and California look to join the list of states that not only regulate biometric data but provide consumers with the opportunity to seek hefty statutory damages and attorney’s fees from offending businesses. Similar to Illinois’ oft-litigated Biometric Information Privacy Act (“BIPA”), both bills would also (i) require written consent prior to the collection of biometric information; (ii) impose BIPA-like security measures, and (iii) mandate specific retention criteria, as described below.
Continue Reading Maryland and California Propose Biometric Privacy Legislation that Would Include Illinois-Like Private Rights of Action
Two Chinese information security laws, the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”), are creating difficulties for parties involved in litigation in the United States seeking discovery materials stored in China.
Both the DSL and the PIPL require data processors to obtain approval from the Chinese government before transferring any data stored in China to a foreign court or law enforcement authority, or otherwise face significant penalties such as fines in the millions of dollars.
Litigants in the U.S. should be aware that the DSL and PIPL may impose significant costs and delays in the discovery process, and may be used to avoid turning over certain materials.Continue Reading Chinese data security laws increasingly create roadblocks for litigants seeking discovery in U.S. courts
Beginning in May 2022, employers in New York state will be required to make certain disclosures to their workers if they engage in electronic monitoring of employee communications. On November 8, a bill signed into law by Governor Kathy Hochul requires that all employers provide written notice to newly-hired employees if they intend to monitor…
The Federal Trade Commission (FTC or Commission) has issued a final rule clarifying its data security requirements for certain covered financial institutions. The new rule, which amends the Safeguards Rule originally promulgated in 2002 under the Gramm-Leach-Bliley Act (GLBA), outlines specific criteria to be incorporated as part of GLBA-covered financial institutions’ information security programs. The primary changes include:
- A requirement to designate a single qualified individual responsible for overseeing the information security program and periodically reporting to the board (or other governing body)
- Identification of specific security risk assessment criteria and a requirement that such assessments be documented in writing
- Specific required safeguards, including access controls, encryption, data disposal procedures, continuous monitoring, and penetration testing
- Service provider selection criteria and a related requirement to periodically assess service providers based on perceived risk
- Expansion of the definition of “financial institution” to clarify that it includes entities providing “finder” services incidental to financial activities
The updated rule takes effect 30 days after publication in the Federal Register, but some of the more significant new requirements will not take effect for another year.Continue Reading FTC significantly amends GLBA Safeguards Rule
California’s new enforcement agency, the Consumer Privacy Protection Agency (CPPA), recently held a meeting of its Board of Directors (Board), where they discussed the possible need to extend the July 1, 2022 CPRA rulemaking deadline and estimated that the updated privacy law, which takes effect in 2023, may require doubling the existing body of CCPA regulations. Key rulemaking topics discussed at the board meeting included rules covering new topics such as rules related to automated decision-making and the CPRA’s new data protection assessment and auditing requirements.
CPPA executive director and staff to be appointed
With a little over nine months until the CPRA regulations are supposed to be finalized, the CPPA is still working on making key staff and leadership appointments. The Board recently held an all-day closed session to review and discuss the applications for the executive director post, indicating it may be close to making a decision on that leadership post. In the preceding open session, members discussed the Chief Privacy Auditor role and the requirements for that new position. As for staff, the Board noted that the Attorney General’s (AG) office already has 10 people dedicated to CCPA-related work and discussed hiring five retired state employees that are attorneys for part-time positions.
Extension of the July 1, 2022 rules deadline
With the CPRA rulemaking deadline looming on July 1, 2022, Board members expressed concern about the CPPA’s ability to draft, revise, and finalize a large number of new rules in the time that remains. Based on this concern, the Board discussed asking the legislature for an extension, enacting temporary “emergency” regulations, or adding grace periods for compliance with the new rules. Emergency rules would allow the CPPA to introduce new rules on an expedited basis while extending the final rulemaking beyond the July 1, 2022 deadline.
Continue Reading California privacy update: New state enforcement agency leadership discuss extending CPRA rulemaking deadline and doubling the number of current CCPA regulations
In preparation for the California Privacy Rights Act (CPRA), effective January 1, 2023, the California AG Rob Bonta has been actively enforcing the California Consumer Privacy Act (CCPA) and providing updated guidance for consumers and businesses. The AG recently held a press conference to discuss enforcement proceedings brought by his office over the last year…
The protection afforded by attorney-client privilege brings about a candid conversation between lawyers and clients. Privilege can attach to communications covering a variety of topics, from responding to a data subject access request (DSAR) to handling a security incident or managing complex and time consuming investigations on a multinational scale. Different privilege rules may apply…
A trio of consumer data privacy bills modeled after Europe’s General Data Protection Regulation (GDPR) has been introduced in the Wisconsin State Assembly. The three bills, collectively dubbed the Wisconsin Data Privacy Act (WDPA), were sponsored by Republican State Representative Shannon Zimmerman, who is seeking to make Wisconsin “the most consumer-friendly state in our nation on data privacy.” Collectively, Assembly Bills 870, 871, and 872 seek to grant Wisconsin residents a host of rights related to companies’ collection and processing of their personal data and would impose a number of related regulatory obligations on companies that process personal data.
- A right to request information about what personal data a company has processed;
- A requirement that companies obtain opt-in consent before collecting or making any use of the consumer’s personal data;
- A right to request that a company stop any processing of the consumer’s personal data and give notice to cease processing personal data to every entity the company has shared the consumer’s data with (unless this is impossible or involves unreasonable efforts); and
- A right to request deletion of the consumer’s personal data.
The recently announced multistate settlement between credit reporting company Equifax Inc. and the Attorneys General of 48 states, Puerto Rico, and the District of Columbia (the AGs) demonstrates the increasingly active role of state regulators in policing the privacy and security practices of businesses that handle consumers’ personal information. The multistate settlement is part of a comprehensive agreement between Equifax, the AGs, and other state and federal regulators, under which Equifax will pay at least $575 million and up to $700 million to resolve investigations and litigation arising out of a 2017 data breach alleged to have affected over 147 million consumers.
Continue Reading Equifax agrees to enhanced security and privacy measures and will pay states and the Consumer Financial Protection Bureau at least $575 million to resolve multistate investigation of 2017 data breach.