Christopher M. Loeffler

Subscribe to all posts by Christopher M. Loeffler

GDPR SIDEBAR: Should You Be Complying with the New Data Protection Law?

You’ve probably heard of the dreaded four-letter word – GDPR.  Companies around the globe had been preparing for the May 25th implementation date for quite some time.  But U.S.-based companies with no apparent EU presence may not have thought twice about whether the data protection law across the pond even applies to them.  Let’s face … Continue Reading

One Employee in Europe Could Trigger New EU Data Protection Obligations

An Update on the New EU General Data Protection Regulation On 16 April 2016, the EU adopted the General Data Protection Regulation (‘GDPR’) which largely rewrites and harmonizes the European legal framework of data protection. The new regulation will become applicable in May 2018, but given the scope and complexity of the GDPR it is … Continue Reading

EU Data Protection Authority Issues GDPR Action Plan, Swiss Sign Privacy Deal with U.S.

On January 16, 2017, the Article 29 Working Party (“Working Party”)—the EU’s central data protection advisory board—published a press release regarding its Action Plan for 2017, which was adopted as part of its wider implementation strategy for the General Data Protection Regulation (“GDPR”).  The Action Plan follows up on the actions initiated in 2016 and … Continue Reading

May Old Memoranda Be Forgot: White House Issues New Memorandum on Breach Response Plan

The White House Office of Management and Budget (“OMB”) marked the beginning of the 2017 Federal calendar year by issuing a memorandum to all agency and department heads with new guidance on breach preparation and response. While the guidance is not directed to the business sector, it is instructive for corporate counsel as it complements … Continue Reading

For Better or Worse: Privacy Shield Challenges and (Actions for) Annulments

Over the course of the past two months, three privacy groups in France and one in Ireland filed separate actions for annulment with the European Court of Justice seeking the invalidation of the EU-U.S. Privacy Shield Framework. The Privacy Shield honeymoon phase appears to be over, and the first year of the transatlantic relationship may … Continue Reading

FTC Releases New Data Response Breach Guide For Businesses

The Federal Trade Commission released a new guide for businesses on data breach response yesterday along with a three-minute video summary. The 14-page guide highlights the immediate steps a business should take when responding to a data breach incident. As a bonus, the guidance also offers a model breach notification letter and encourages businesses to … Continue Reading

This Week in Privacy Shield Developments

It’s been another exciting week of developments for U.S. companies on the EU data transfer front. From the first company to indicate that it will certify under Privacy Shield, to the first European Data Protection Authority (DPA) to suggest that it would like to challenge the validity of the new framework, here are this week’s … Continue Reading

What You Need to Know About Privacy Shield: An Overview of the New Transatlantic Framework

On July 12, 2016, the European Commission (“Commission”) formally adopted and released the Privacy Shield Adequacy decision, which will allow certified U.S. companies to transfer EU personal data to the United States.  The EU-U.S. Privacy Shield (“Privacy Shield”) replaces the U.S.-EU Safe Harbor framework (“Safe Harbor”), which was invalidated in October 2015 by the European … Continue Reading

Despite Early Challenges, European Commission Adopts EU-U.S. Privacy Shield

After months of negotiations, today the College of Commissioners formally adopted the EU-U.S. Privacy Shield (“Privacy Shield”). This is an encouraging development for the more than 4,400 U.S. companies that had previously relied on the U.S.-EU Safe Harbor framework and sought legal certainty regarding data transfers in its wake. As we reported in a previous … Continue Reading

Privacy Shield Setback? European Parliament Asks to Revisit Negotiations

The saga continues on the quest to improve the EU-U.S. Privacy Shield Agreement (“Privacy Shield”), the framework that, if enacted, would permit transatlantic data flows from the EU to the U.S. Yesterday, the European Parliament approved a resolution asking the European Commission (the “Commission”) to (1) clarify the legal status of “written assurances” provided by … Continue Reading

Privacy Shield Pierced? Article 29 Working Party Expresses Concern with Agreement

The Article 29 Working Party (The Working Party), which includes representative data protection authorities from each EU member country and the European Data Protection Supervisor, issued a 58-page opinion yesterday that flagged perceived shortcomings of the draft EU-U.S. Privacy Shield (Privacy Shield). Privacy Shield was slated to replace the now defunct Safe Harbor, and is the updated framework designed to permit organizations … Continue Reading

Privacy Shield: The New Transatlantic Agreement and How it May Impact Your Company

Last Tuesday, February 2, 2016, the European Commission announced that it approved the EU-U.S. Privacy Shield (“Privacy Shield”), an agreement with the U.S. Department of Commerce establishing a new framework for transatlantic data flows. Although the full text and details of Privacy Shield have not been released, the new framework is expected to replace the now … Continue Reading

Nevada and Wyoming Expand Breach Notification Laws to Protect Account Credentials

On July 1, 2015, both Nevada and Wyoming’s breach notification law amendments come into force, expanding the definition of Personal Information (“PI”) to include account credentials such as a username or email address. With these amendments, the two states join California and Florida in a small but growing number of states that have overhauled breach … Continue Reading

So There’s Been a Data Breach: What Will That Cost?

It’s well-known that most companies collect, store and use the personal information of their customers and employees.  This is valuable and proprietary information and most companies take steps to safeguard this information from attack or inadvertent disclosure.  Yet, no security is perfect and despite efforts to secure the information, it’s often not a matter of … Continue Reading

NAI Releases Updated Code of Conduct for Online Behavioral Advertising

The Network Advertising Initiative (“NAI”) recently announced final updates to its 2013 Code of Conduct (“NAI Code”). The NAI Code is one of the leading industry self-regulatory codes of conduct governing online behavioral advertising (“OBA”) for third party digital advertising companies. While prior versions of the NAI Code were focused on advertising networks, the 2013 … Continue Reading

Delta Cleared for Takeoff: Wins Dismissal of California AG Mobile App Privacy Action

In December 2012, the California Attorney General filed a lawsuit against Delta Airlines, Inc. (“Delta”) alleging that Delta violated California’s Online Privacy Protection Act by failing to post a privacy policy within its Fly Delta mobile app.  It was the first mobile app enforcement action brought by the California Attorney General and closely followed the … Continue Reading

FTC Continues FCRA Enforcement Activities: Warning Letters to 10 Data Brokers

Today, the Federal Trade Commission (“FTC”) announced that it sent letters to 10 data brokers warning them that their practices may be subject to the Fair Credit Reporting Act (“FCRA”).  A sample letter is available here.  Among other things, the FCRA governs the sale and use of consumer information which may be used to make decisions … Continue Reading

Wyndham Wins Change of Venue in FTC Data Security Case

The FTC’s first litigated data security action alleging that a company engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act based on its data security practices continues, but now in a different jurisdiction. The complaint was originally filed in the U.S. District Court in Arizona. The Arizona Federal District … Continue Reading

Retailer Sues Visa for Recovery of Data Breach PCI Fines

In a first of its kind suit, on March 7, 2013, the sports-apparel retailer Genesco filed a lawsuit against Visa for recovery of fines that Visa issued against Genesco after it suffered a data breach. Generally, merchants are contractually required to be compliant with the payment card industry data security standard (PCI DSS) as well as … Continue Reading

Best Practices for E-Mail Marketing

If you work with e-mail marketing—whether you’re putting together the content, reviewing the images and links for accuracy, or conducting a final copy and legal review—you already know that your commercial message must be compliant with the CAN-SPAM Act. It’s not that it’s hard to follow, but sometimes it can be so easy to forget. … Continue Reading

HHS Clarifies that ISPs are not Business Associates under HIPAA

The Department of Health and Human Services (“HHS”) issued a final rule to update its regulations under the Health Insurance Portability and Accountability Act (“HIPAA”). In the final rule, HHS clarifies that data transmission organizations, such as Internet Service Providers (“ISPs”), that do not require access to protected health information (“PHI”) on a routine basis … Continue Reading

NAI Releases 2012 Compliance Report for Online Behavioral Advertising

On February 7, 2013, the Network Advertising Initiative (“NAI”) released its 2012 Annual Compliance Report addressing member organizations’ adherence to the NAI Code. The NAI Code is one of the leading industry self-regulatory codes of conduct governing online behavioral advertising (“OBA”) for third party digital advertising companies (such as advertising networks). The 2012 Compliance Report … Continue Reading

California Supreme Court Holds Song-Beverly Act Not Applicable to Online Transactions for Downloadable Products

In its February 4, 2013 opinion, the California Supreme Court continues to shape the scope of California’s Song-Beverly Credit Card Act, a consumer protection statute that prohibits the collection of personal identification information (“PII”) from consumers as part of a credit transaction.  In its decision, the Court held that the Song-Beverly Act does not apply … Continue Reading

UK ICO Fines Sony £250,000 After 2011 Data Breach

On January 24, 2013, the UK Information Commissioner’s Office (“ICO”) announced that it has fined Sony Computer Entertainment Europe Limited £250,000 (approximately $390,000 US) as a result of the 2011 data breach of the Sony PlayStation Network (“PSN”). In April 2011, Sony announced that it suffered a series of data breaches on the PSN and … Continue Reading