Kelley Drye

Subscribe to all posts by Kelley Drye

May Old Memoranda Be Forgot: White House Issues New Memorandum on Breach Response Plan

The White House Office of Management and Budget (“OMB”) marked the beginning of the 2017 Federal calendar year by issuing a memorandum to all agency and department heads with new guidance on breach preparation and response. While the guidance is not directed to the business sector, it is instructive for corporate counsel as it complements … Continue Reading

For Better or Worse: Privacy Shield Challenges and (Actions for) Annulments

Over the course of the past two months, three privacy groups in France and one in Ireland filed separate actions for annulment with the European Court of Justice seeking the invalidation of the EU-U.S. Privacy Shield Framework. The Privacy Shield honeymoon phase appears to be over, and the first year of the transatlantic relationship may … Continue Reading

Nevada and Wyoming Expand Breach Notification Laws to Protect Account Credentials

On July 1, 2015, both Nevada and Wyoming’s breach notification law amendments come into force, expanding the definition of Personal Information (“PI”) to include account credentials such as a username or email address. With these amendments, the two states join California and Florida in a small but growing number of states that have overhauled breach … Continue Reading

So There’s Been a Data Breach: What Will That Cost?

It’s well-known that most companies collect, store and use the personal information of their customers and employees.  This is valuable and proprietary information and most companies take steps to safeguard this information from attack or inadvertent disclosure.  Yet, no security is perfect and despite efforts to secure the information, it’s often not a matter of … Continue Reading

NAI Releases Updated Code of Conduct for Online Behavioral Advertising

The Network Advertising Initiative (“NAI”) recently announced final updates to its 2013 Code of Conduct (“NAI Code”). The NAI Code is one of the leading industry self-regulatory codes of conduct governing online behavioral advertising (“OBA”) for third party digital advertising companies. While prior versions of the NAI Code were focused on advertising networks, the 2013 … Continue Reading

Delta Cleared for Takeoff: Wins Dismissal of California AG Mobile App Privacy Action

In December 2012, the California Attorney General filed a lawsuit against Delta Airlines, Inc. (“Delta”) alleging that Delta violated California’s Online Privacy Protection Act by failing to post a privacy policy within its Fly Delta mobile app.  It was the first mobile app enforcement action brought by the California Attorney General and closely followed the … Continue Reading

FTC Continues FCRA Enforcement Activities: Warning Letters to 10 Data Brokers

Today, the Federal Trade Commission (“FTC”) announced that it sent letters to 10 data brokers warning them that their practices may be subject to the Fair Credit Reporting Act (“FCRA”).  A sample letter is available here.  Among other things, the FCRA governs the sale and use of consumer information which may be used to make decisions … Continue Reading

Best Practices for E-Mail Marketing

If you work with e-mail marketing—whether you’re putting together the content, reviewing the images and links for accuracy, or conducting a final copy and legal review—you already know that your commercial message must be compliant with the CAN-SPAM Act. It’s not that it’s hard to follow, but sometimes it can be so easy to forget. … Continue Reading

HHS Clarifies that ISPs are not Business Associates under HIPAA

The Department of Health and Human Services (“HHS”) issued a final rule to update its regulations under the Health Insurance Portability and Accountability Act (“HIPAA”). In the final rule, HHS clarifies that data transmission organizations, such as Internet Service Providers (“ISPs”), that do not require access to protected health information (“PHI”) on a routine basis … Continue Reading

NAI Releases 2012 Compliance Report for Online Behavioral Advertising

On February 7, 2013, the Network Advertising Initiative (“NAI”) released its 2012 Annual Compliance Report addressing member organizations’ adherence to the NAI Code. The NAI Code is one of the leading industry self-regulatory codes of conduct governing online behavioral advertising (“OBA”) for third party digital advertising companies (such as advertising networks). The 2012 Compliance Report … Continue Reading

California Supreme Court Holds Song-Beverly Act Not Applicable to Online Transactions for Downloadable Products

In its February 4, 2013 opinion, the California Supreme Court continues to shape the scope of California’s Song-Beverly Credit Card Act, a consumer protection statute that prohibits the collection of personal identification information (“PII”) from consumers as part of a credit transaction.  In its decision, the Court held that the Song-Beverly Act does not apply … Continue Reading

UK ICO Fines Sony £250,000 After 2011 Data Breach

On January 24, 2013, the UK Information Commissioner’s Office (“ICO”) announced that it has fined Sony Computer Entertainment Europe Limited £250,000 (approximately $390,000 US) as a result of the 2011 data breach of the Sony PlayStation Network (“PSN”). In April 2011, Sony announced that it suffered a series of data breaches on the PSN and … Continue Reading

Connecticut Data Breach Law Will Require Notice to Attorney General

Beginning October 1, 2012, Connecticut’s data breach notification law will require businesses to notify the Office of the Attorney General of a security breach affecting Connecticut residents.  The current law was repealed and replaced wholesale with the new law, which was neatly tucked away in a Special Session bill implementing the state’s budget for the … Continue Reading

Sen. Rockefeller Requests CEOs of Every Fortune 500 Company to Describe Cybersecurity Practices

Sen. Jay Rockefeller (D-WV) is sending letters to CEOs at every Fortune 500 company asking them to identify their cybersecurity practices and efforts to protect critical infrastructure.  Prior efforts to enact cybersecurity legislation during the 112th Congress have been ineffective, as comprehensive cybersecurity legislation was blocked by a filibuster.  Rockefeller has also urged President Obama … Continue Reading

Video Interview: Discussing Spokeo’s FTC Settlement with LXBN TV

Following up on my post on the subject, last week I had the opportunity to speak with Colin O’Keefe of LXBN regarding Spokeo’s $800,000 settlement with the FTC. In the brief interview, I explain what Spokeo does, how they allegedly violated the Fair Credit Reporting Act and Section 5 of the FTC Act and what … Continue Reading

Spokeo Agrees to Pay $800,000 to Settle Charges of FCRA Violations

Today, the Federal Trade Commission (FTC) announced that Spokeo, Inc., an information broker that markets and sells detailed consumer data profiles, will pay $800,000 to settle FTC charges that it violated the Fair Credit Reporting Act (FCRA). In its complaint, the FTC alleged that Spokeo sold consumer profiles compiled from Internet and social networking sites, … Continue Reading

Paul Ohm to Serve as Senior Adviser to FTC on Internet, Privacy and Mobile Markets

Professor Paul Ohm, Associate Professor at the University of Colorado Law School, will be joining the FTC as a senior policy adviser for consumer protection and competition issues in the Internet and mobile market space this August. Ohm’s legal career has focused on information privacy and cyberlaw matters. He is the author of numerous law review articles … Continue Reading

Appellate Court Vacates Summary Judgment for Google in Copyright Infringement Suit

Last week the Second Circuit Court of Appeals issued an opinion in the ongoing copyright dispute between Viacom and YouTube/Google.  In 2006, Viacom filed a $1 billion lawsuit against Google, alleging that tens of thousands of videos submitted by users and displayed on YouTube violated Viacom’s copyrights, and that Google should be liable for the … Continue Reading

California Supreme Court Holds Zip Code is PII under Song-Beverly Act

 This post was written by Dana B. Rosenfeld, Alysa Z. Hutnik, and Christopher M. Loeffler. On February 10, 2011, the California Supreme Court released its decision in Pineda v. Williams-Sonoma Stores, Inc., holding that zip code information is personal identification information ("PII") under the Song-Beverly Credit Card Act (the "Song-Beverly Act") The court’s decision restricts … Continue Reading

FTC Releases Proposed Framework For Protecting Consumer Privacy

 This post was written by the Kelley Drye & Warren Privacy and Information Security Practice Group. Today, the FTC issued its highly-anticipated preliminary staff report on privacy, “Protecting Consumer Privacy in an Era of Rapid Change.”  The report proposes a new privacy framework for businesses and policymakers and addresses the Commission’s view that self-regulation has, … Continue Reading

PCI Security Standards Council to Release Updated Security Standards: PCI DSS 2.0 and PA-DSS 2.0

On Thursday, August 12, 2010, the Payment Card Industry Security Standards Council (PCI SSC) released a document highlighting proposed revisions to the PCI Data Security Standard (PCI DSS) and Payment Application-Data Security Standard (PA-DSS).  These revisions will not include significant changes to the current standards, but seek to: Provide clarity on the requirements, scoping, and … Continue Reading

FTC Plans for Internet Privacy Framework

This post was written by Christopher M. Loeffler and Alysa Z. Hutnik. On Tuesday, April 26, 2010, the Federal Trade Commission (FTC) announced that it intends to develop Internet privacy guidelines. The guidelines will examine social networking sites’ data handling practices and create a framework to guide social networks and others going forward. Given the … Continue Reading