The White House Office of Management and Budget (“OMB”) marked the beginning of the 2017 Federal calendar year by issuing a memorandum to all agency and department heads with new guidance on breach preparation and response. While the guidance is not directed to the business sector, it is instructive for corporate counsel as it complements the breach response guide the Federal Trade Commission issued back in October.

The FTC Breach Response Plan focuses on what a company should do once it has discovered a breach. The OMB guidance includes more comprehensive advice on how to prepare for a breach and highlights several best practices that can prove useful for any business. In short, it is a great counterpart to the FTC’s guidance for any company conducting a Breach Response Plan review.

Here are some helpful topics/resources from the memorandum:

  • Breach response plan defined terms and listing of common examples of a breach
  • Overview of minimum breach response plan elements, including:
    • Breach Response Team
    • Privacy Compliance Documentation
    • Secure Interdepartmental and Third-Party Information Sharing
    • Reporting Requirements
    • Assessing and Mitigating Risk of Harm
    • Notification
  • Breach response contract terms for third party vendors
  • Considerations for identifying logistical support and technical support when responding to a breach, and
  • Appendices which include a breach reporting template, general and category specific guidance for affected individuals, and examples of services a company can provide

Here’s hoping that Baby New Year doesn’t welcome you to 2017 with a security breach, but read together, the FTC and OMB resources can be a helpful way to start the new year by making resolutions on breach prevention and response planning.

Over the course of the past two months, three privacy groups in France and one in Ireland filed separate actions for annulment with the European Court of Justice seeking the invalidation of the EU-U.S. Privacy Shield Framework. The Privacy Shield honeymoon phase appears to be over, and the first year of the transatlantic relationship may prove to be the hardest. Although information is scarce, here’s what we know so far:

  • Disloyal DPAs: Calling Into Question the Independence of the Irish DPA. On September 16, 2016, Digital Rights Ireland (DRI), an Ireland-based digital rights advocacy group, filed the first action for annulment, allegedly claiming that (1) Ireland contravened its obligations under the Data Protection Directive to properly implement the Directive and (2) the Irish Data Protection Commissioner is not independent from the Irish Government, as required under Article 8 of the Charter of Fundamental Rights. (See Case T-670/16).
  • Surreptitious Surveillance: Schrems N’est-ce Pas? On October 25, 2016, three French privacy groups, La Quadrature du Net, French Data Network and the Federation FDN, sought the invalidation of Privacy Shield via a separate action for annulment. (See Case T-738/16). By contrast, here the parties took issue with the mass surveillance concerns that underscored the Schrems decision and argued that the European Commission violated Articles 7, 8, and 47 of the Charter of Fundamental Rights.
  • Conflict Avoidance: The Article 29 Working Party Moratorium. You may recall that in an earlier blog post we noted that The Article 29 Working Party agreed to a moratorium on any Privacy Shield challenges until the annual review of Privacy Shield in August 2017.

Legal certainty was one of the selling points of the Privacy Shield framework and the Article 29 Working Party moratorium reinforced that promise. These two actions will call into question this very notion. As always, we’ll continue to monitor these updates as they unfold.

On July 1, 2015, both Nevada and Wyoming’s breach notification law amendments come into force, expanding the definition of Personal Information (“PI”) to include account credentials such as a username or email address. With these amendments, the two states join California and Florida in a small but growing number of states that have overhauled breach notification laws to expand privacy protections for consumers.

Nevada’s breach notification laws will now define PI to include the following account information: “a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.” The change to the Nevada law also means that companies may have to ensure that account credentials are encrypted to comply with Nevada’s requirements to safeguard PI.

Under Wyoming’s law, login credentials will now be subsumed under the definition of PI along with several other broad categories of information. Notably, Wyoming’s updated law will include one of the broader definitions of PI and may affect the consumer or employee records or profiles maintained by a business.

These changes will expose industry to added compliance requirements. Companies doing business in these states should take stock of the information they collect and consider whether additional measures should be put in place to ensure compliance with the updated laws. We will continue to monitor updates to breach notification laws and how these changes will affect business compliance going forward.

It’s well-known that most companies collect, store and use the personal information of their customers and employees.  This is valuable and proprietary information and most companies take steps to safeguard this information from attack or inadvertent disclosure.  Yet, no security is perfect and despite efforts to secure the information, it’s often not a matter of whether, but when, a company will suffer a data breach.

In May 2013, the Ponemon Institute released its 2013 Cost of Data Breach Study: Global Analysis (“Ponemon Study”), indicating that the average cost of a data breach for US companies in $188 per record.  Notably, the Ponemon Study is based on a consumer perspective and the cost per record includes hard costs (consumer notification, remediation, ID theft services) of approximately $60/record and soft costs (lost business, diminished goodwill) of approximately $128/record.  Based on an average 28,765 records per US breach, the Ponemon Study identifies a total organization cost of $5,403,644 per data breach–a dollar amount that should catch the attention of the C-suite.

In October 2012, NetDiligence released its whitepaper Cyber Liability & Data Breach Insurance Claims: A Study of Actual Payouts for Covered Data Breaches that examines data breach costs from an insurer’s perspective (“NetDiligence Study”).  The NetDiligence study indicates that the average cost of a data breach for US companies (based on hard costs as identified in insurance claims) is $3.94/record.  This is based on an average of 1.4 million records per breach and an average cost of $3,700,000 per data breach.

While the Ponemon Study and Net Diligence Study are based on different approaches and yield different results, they both indicate the seriousness and financial implications of a data breach.  Companies should continue to evaluate these types of reports as they implement plans, procedures, and tools to defend against, mitigate, and respond to data security threats.

The Network Advertising Initiative (“NAI”) recently announced final updates to its 2013 Code of Conduct (“NAI Code”). The NAI Code is one of the leading industry self-regulatory codes of conduct governing online behavioral advertising (“OBA”) for third party digital advertising companies. While prior versions of the NAI Code were focused on advertising networks, the 2013 NAI Code keeps pace with developments in the online advertising ecosystem and also governs the actions of participating demand side platforms (“DSPs”), supply side platforms (“SSPs”), and ad exchanges, among others.

The 2013 NAI Code reinforces the requirements for participants to provide education, notice, and choice regarding OBA, stating that industry’s approach must not remain stagnant, but rather adapt to ensure that the self-regulatory framework remains relevant and effective. It was also updated to reflect regulatory guidance including the FTC Final Privacy Report and White House Privacy Report. Additionally, the 2013 NAI Code harmonizes requirements with the Digital Advertising Alliance (“DAA”) Self-Regulatory Principles for Online Behavioral Advertising. [The NAI is one of the members of the DAA.]

The 2013 NAI Code introduces a new framework of data “identifiability” that splits the difference between the FTC and industry’s definitions of what is PII:

  • PII = Used or intended to be used to identify an individual
  • Non-PII = Linked or reasonably linkable to a specific computer or device
  • De-Identified Data = Not linked or reasonably linkable to either an individual or a specific computer or device

The online advertising industry continues to face scrutiny from regulators and Congress regarding its approach to OBA, with a specific focus on a Do Not Track standard. Companies engaged in any OBA, interest-based advertising, or online remarketing / retargeting activities should stay tuned as the self-regulatory and regulatory framework continues to evolve.

In December 2012, the California Attorney General filed a lawsuit against Delta Airlines, Inc. (“Delta”) alleging that Delta violated California’s Online Privacy Protection Act by failing to post a privacy policy within its Fly Delta mobile app.  It was the first mobile app enforcement action brought by the California Attorney General and closely followed the Attorney General’s warning campaign in which it sent out letters to approximately 100 app developers and companies notifying them that they were not in compliance with California’s law.  Our previous coverage of the complaint is here.

Yesterday, the California Superior Court dismissed the claim, holding that the state action is pre-empted by the federal Airline Deregulation Act, which prohibits states from applying regulations on airlines related to price, routes, or services.  Judge Miller stated: “In this instances it’s services. . . . I think that this case is, in effect, an attempt to apply a state law designed to prevent unfair competition, which regulates an airline’s communications with consumers, and I think it’s pre-empted.”  Press coverage is available here.

This is an interesting result for the first Attorney General app enforcement action and it’s too soon to tell whether the Attorney General will appeal the decision.  Unfortunately, the ruling doesn’t provide any substantive guidance, or give much comfort, to companies that can’t make similar federal pre-emption arguments.  Companies with mobile apps will want to keep their seatbacks and tray tables in their upright and locked positions as we watch for the Attorney General’s next activities in the mobile privacy space.

Today, the Federal Trade Commission (“FTC”) announced that it sent letters to 10 data brokers warning them that their practices may be subject to the Fair Credit Reporting Act (“FCRA”).  A sample letter is available here.  Among other things, the FCRA governs the sale and use of consumer information which may be used to make decisions about consumers’ creditworthiness, eligibility for insurance, or suitability for employment.

As part of  a global privacy sweep conducted by the Global Privacy Enforcement Network (“GPEN”), the FTC conducted test-shopping with 45 data brokers.  Based on the sweep, 10 data brokers indicated a willingness to sell consumer information in a manner that may violate the FCRA.

As we’ve previously noted here and here, the FTC continues to use its authority under FCRA through enforcement actions—which include civil penalties—and warning letters.  Last month, the FTC warned 6 websites that their sharing of consumers’ rental history information with landlords may be subject to the FCRA.

While the warning letters are not a formal complaint alleging FCRA violations, they are an important reminder for all companies that sell consumer information to closely examine whether these practices fall under the FCRA and, if so, to ensure proper compliance.

The FTC’s first litigated data security action alleging that a company engaged in unfair and deceptive practices in violation of Section 5 of the FTC Act based on its data security practices continues, but now in a different jurisdiction. The complaint was originally filed in the U.S. District Court in Arizona. The Arizona Federal District Court’s March 25 ruling granted the defendants’—Wyndham Worldwide Corporation and three of its subsidiaries—motion to change venue. The matter will now be heard in the District of New Jersey.

In a first of its kind suit, on March 7, 2013, the sports-apparel retailer Genesco filed a lawsuit against Visa for recovery of fines that Visa issued against Genesco after it suffered a data breach. Generally, merchants are contractually required to be compliant with the payment card industry data security standard (PCI DSS) as well as the payment card brands’ specific operating rules and regulations in order to accept each brand’s payment cards.  In the event of a data breach, a payment card brand may seek to recover funds for the incremental fraud incurred by the payment card brand, operational expenses (to cover costs such as card replacement), and fines for non-compliance with the PCI DSS.

After it suffered a packet sniffer data breach in 2010, Visa assessed Genesco a total of $13.3 million in fines. In its complaint, Genesco alleges that it was never out of compliance with the PCI DSS and, thus, should not be liable for the fines.

Given the prevalence of data breaches–and especially the high costs incurred by merchants when responding to, and cleaning up the aftermath from, a breach involving payment card information–merchants should pay close attention to this case. If Genesco ultimately prevails, the case could challenge the underpinnings of the payment card brands’ contracting and enforcement mechanisms.

If you work with e-mail marketing—whether you’re putting together the content, reviewing the images and links for accuracy, or conducting a final copy and legal review—you already know that your commercial message must be compliant with the CAN-SPAM Act. It’s not that it’s hard to follow, but sometimes it can be so easy to forget.

Before your next e-mail marketing campaign is approved and in the Sent folder, make sure your commercial e-mails comply with best practices and CAN-SPAM Act.  I highlight key requirements in this Best Practices for E-mail Marketing Checklist published by Practical Law Company. For a more detailed look at e-mail marketing practices, the full article is available here.