Close
Enter your
text here

Privacy

Illinois Court Says Biometric Fingerprint is Violation of Privacy, Even Without Injury: Data Privacy Trends

With Legaltech® behind us, it’s time to get back to covering interesting news items.  On January 25, the Illinois Supreme Court rejected an argument from a popular theme park that would have limited a state law that requires consent for the use of facial recognition and other biometrics.

According to The Verge (Crucial biometric privacy law survives Illinois court fight, written by Russell Brandom), Illinois’ Biometric Information Privacy Act (or BIPA), passed in 2008, requires affirmative consent for companies to collect biometric markers from their customers, including fingerprints and facial recognition models. The law has become a sticking point for a number of tech companies using facial recognition as a photo-sorting tool, and both Facebook and Google have faced lawsuits for alleged BIPA violations in their photo-tagging products. Facebook has pushed for legislative revisions to the law on several occasions, but so far unsuccessfully.

The January ruling involved Six Flags, which allegedly fingerprinted a 14-year-old visitor without parental approval. Contesting the case, Six Flags argued it couldn’t be held liable unless the plaintiff demonstrated a tangible injury from the unauthorized collection, often a difficult task in privacy lawsuits. If successful, Six Flags’ would have significantly limited BIPA’s power and made facial recognition much easier for companies like Facebook and Google.

But the Illinois Supreme Court was ultimately unconvinced by the argument, ruling that “a person need not have sustained actual damage beyond violation of his or her rights under the Act.” In Illinois, businesses that collect biometric data will have to do so carefully, which the court took to be a reasonable intent of the law itself. “Whatever expenses a business might incur to meet the law’s requirements,” the ruling reads, “are likely to be insignificant compared to the substantial and irreversible harm that could result if biometric identifiers and information are not properly safeguarded.”

The ruling has been met with cheers from privacy groups, like the Electronic Frontier Foundation, but some business groups, like the Illinois Chamber of Commerce, expressed concern over the ruling, saying “We fear that today’s decision will open the floodgates for future litigation at the expense of Illinois’ commercial health”.  With the General Data Protection (GDPR) going into effect last year, the California Consumer Privacy Act (CCPA) passed and set to go into effect next year, and case law rulings like the SCOTUS ruling in Carpenter v. US, I’ve been saying that 2018 was the year of data privacy.  It doesn’t seem to be slowing down any in 2019.

So, what do you think?  Do you think we’re going too far on enforcing data privacy or do you think that rulings like this are appropriate?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Judge Suggests That “Bone-Crushing” Discovery is Needed to Explore Extent of Facebook Breach: Cybersecurity Trends

Remember the latest Facebook breach – the one from September of last year that exposed 50 million accounts?  I say “latest” because you have to differentiate these days.  Well, naturally, that breach spawned several lawsuits.  And, the judge presiding over those suits indicated that he will allow Facebook users “bone-crushing” discovery in those lawsuits, saying he’s sympathetic to users’ concerns and that’s worth “real money” — not just “some cosmetic injunctive relief.”

According to LAW360 (Alsup Wants ‘Bone-Crushing’ Discovery Into Facebook Breach, by Dorothy Atkins, subscription required), U.S. District Judge William Alsup said Facebook users don’t know how badly they’ve been harmed yet and he sees the “real anxiety and harm” to individuals who are going to be worried for the rest of their lives that their personal information and pictures were stolen off of the social media platform.

“That is a real problem that is worth money, not just a security package from Equifax,” he said, adding that the amount at stake is a “serious proposition” for Facebook if found liable.

While Facebook’s attorney indicated that it appears that the hackers only took users’ names and email addresses, Judge Alsup appeared skeptical, saying repeatedly that he’s going to allow their attorneys to take “bone-crushing discovery” to find out if that is true.

“I’ve seen too many defendants that say that and … another good lawyer gets in there, with bone-crushing discovery, and we find out it’s not true,” he said.

Judge Alsup added that many Facebook users post highly personal information on the site, and it doesn’t make sense that hackers would only steal a users’ name and email address when they could also take photos and other more sensitive information.

Facebook announced last September that hackers accessed approximately 50 million accounts from July 2017 through September 2018 by exploiting a vulnerability in Facebook’s code through its “View As” feature, which enabled the hackers to steal access tokens — digital keys that allow users to stay logged into Facebook without having to repeatedly re-enter passwords — that the attackers could then use to take over accounts, according to the company.

Judge Alsup also expressed his own frustrations with serving as a federal judge in a digital age, noting that U.S. marshals are currently trying to figure out how to protect the home addresses of federal judges. He also said a hacker recently stole his identity and posed as him online, posting a blog about the now settled, high-profile Waymo v. Uber trade secrets dispute, which Judge Alsup presided over.

“I think most people realized it wasn’t really me,” the judge said.

Whether that’s true or not, it’s clear Judge Alsup is going to have high expectations regarding discovery related to the breach.

So, what do you think?  Will Facebook face “real money” payouts or “some cosmetic injunctive relief”?  And, what about European interests and GDPR possibly yet to come?  Please let me know your thoughts or if you have a topic that you’d like to suggest.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

First Ever Multi-State Data Breach Lawsuit Targets Healthcare Provider: Cybersecurity Trends

Just as the number of data breaches continues to rise, the number of lawsuits over data breaches continues to rise as well.  Chances are that your data has been hacked at some point from at least one company with which you do business.  But this lawsuit is unique.

According to The Expert Institute (12 US States Join Forces to File First Ever Multi-State Data Breach Lawsuit, written by Victoria Negron), an Indiana court will serve as the venue for the first-ever multistate data breach lawsuit, as the attorneys general of twelve US states join forces against a healthcare provider and its subsidiary.

The lawsuit alleges that Fort Wayne-based Medical Informatics Engineering and its subsidiary NoMoreClipboard “failed to take adequate and reasonable measures to ensure their computer systems were protected,” resulting in a 2015 breach that gave hackers access to the personal healthcare information of 3.9 million US citizens. The stolen information included not only identifying details, such as names and Social Security numbers, but also healthcare information, including diagnoses and lab results.

Patients whose data was stolen in the hack had visited 11 different healthcare providers and 44 different radiology clinics, all of whom shared one common feature: they used the WebChart app offered by Medical Informatics Engineering and NoMoreClipboard. Most of the affected patients lived in Indiana, but several others were residents of different states.

In response to the hack, the attorneys general from Arizona, Arkansas, Florida, Iowa, Indiana, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin have jointly filed a cross-state lawsuit alleging multiple violations of the Health Insurance Portability and Accountability Act (HIPAA).  The lawsuit claims that the defendants failed to implement “basic industry-accepted data security measures,” leading to the breach.

According to the article, the use of “tester” accounts (with easily-guessed default usernames and passwords) enabled hackers to launch a SQL injection attack (which is execution of malicious SQL statements to control a web application’s database server), giving them useful information that eventually led to the access of medical data.  Allegedly, Digital Defense, a company specializing in network security solutions, tested the software in 2014 and 2015 and reported “high risk” in the way the system was designed both times, yet the lawsuit alleges that the defendants did not make changes after Digital Defense’s warnings.

Amazingly, not all states allow patients whose personal health information (PHI) is breached to bring a private right of action regarding the breach (hopefully that changes someday), so pursuing legislation at the state level enables the attorneys general named in the complaint to more directly address HIPAA violations and the alleged misconduct that may have caused them.  Of course, chances are that any breach takes months to discover, so it’s not just about the breach, it’s also about discovering the breach too.

So, what do you think?  Will we see more groups of states go after companies who fail to protect sensitive consumer data?  Please let me know your thoughts or if you have a topic that you’d like to suggest.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

After Woman’s iPhone is Seized and She Sues, Homeland Security Agrees to Delete Her Data: eDiscovery Case Law

An American Muslim woman filed suit and asked a federal judge to compel border officials to erase data copied from her iPhone.  Now, she has settled her lawsuit with the government because federal authorities have now agreed to delete the seized data.

As discussed in Ars Technica (Feds took woman’s iPhone at border, she sued, now they agree to delete data, written by Cyrus Farivar), in the case Lazoja v. Nielsen, attorneys for the woman, Rejhane Lazoja, filed what’s called a Rule 41(g) Motion, otherwise known as a “Motion to Return Property.”  Normally, this rule is invoked for tangible items seized as part of a criminal investigation, not for digital data that can easily be copied, bit for bit. But here, the plaintiff, asked the judge to return data that she already had already received 90 days after the seizure when her iPhone was returned, fully intact.

Lazoja’s case has raised new questions about the state of the law with respect to warrantless border searches, particularly in the wake of two notable Supreme Court cases that have dealt with digital privacy in recent years, Carpenter v. United States (2018) and Riley v. California (2014).  The government claims that it has the authority to search and seize someone’s device without a warrant – otherwise needed in the interior of the country. Federal authorities rely on what’s known as the “border doctrine.” This is the controversial but standing legal idea that warrants are not required to conduct a search at the border. The theory has been generally recognized by courts, even in recent years.

In this case, however, Lazoja settled her lawsuit with the government after federal authorities agreed to delete the seized data.  So, the unusual approach worked in this case.

So, what do you think?  Should deletion of seized data be covered by a Rule 41(g) motion?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

California’s AG is Not Happy with the State’s New Consumer Privacy Act: Data Privacy Trends

As I noted a couple of months ago, 2018 is certainly on its way to becoming the year of data privacy rights for the individual.  And, back in June, the California Consumer Privacy Act of 2018 was approved unanimously by the state Senate and Assembly and was signed by Gov. Jerry Brown.  But, California’s AG has just ripped lawmakers for ‘unworkable’ provisions in the new law.

As discussed in Legaltech® News (California AG Rips Lawmakers for ‘Unworkable’ Provisions in New Data Privacy Law, written by Mike Scarcella), California Attorney General Xavier Becerra lashed out at lawmakers for imposing “unworkable obligations and serious operational challenges” on his office by effectively making him the chief enforcer of the new law.

In an August 22 letter to legislators who helped get the law passed in June, Becerra complained that his office is not equipped to handle all the related duties, including quickly drafting regulations and advising businesses about compliance with the California Consumer Privacy Act, or CCPA.

“Failure to cure these identified flaws will undermine California’s authority to launch and sustain vigorous oversight and effective enforcement of the CCPA’s critical privacy protections,” Becerra wrote in the letter.  Becerra also questioned the legality of the civil penalties included in the new law, which he said improperly modified the state’s Unfair Competition Law, or UCL.

“The UCL’s civil penalty laws were enacted by the voters through Proposition 64 in 2004 and cannot be amended through legislation,” Becerra wrote. The data-privacy law’s “constitutional infirmity” can be cured “by simply replacing the CCPA’s current penalty provision with a conventional stand-alone enforcement provision” that does not purport to change the Unfair Competition Law.

Lawmakers tried to address some of the attorney general’s concerns in clean-up legislation that was pending Wednesday in the Assembly. One bill, SB 1121, drops a requirement in the Consumer Privacy Act that consumers must first notify the attorney general’s office before suing over a data breach. The pending legislation recasts the civil penalty provisions and delays enforcement of the new law until six months after the attorney general publishes new regulations or July 1, 2020—whichever is sooner.

A separately pending budget bill would also appropriate $700,000 to Becerra’s office for help drafting and enforcing the new regulations.  But, the changes do not include a broader private right of action—sought by the attorney general—that would shift the litigation burden to consumers. Such a provision would have attracted fierce opposition from business groups that oppose any expansion of plaintiffs’ ability bring class actions and individual suits.

Becerra’s beefs with the Consumer Privacy Act foreshadow the fights that are looming over the state’s sweeping digital information law as interests, including those in government, push to alter its reach and enforcement before it goes into effect in 2020.  And, the business lobby is already pushing to narrow what they have to disclose to consumers about information that is collected about them. Companies are also lobbying the federal government for industry friendly rules that would preempt California’s new law.  It looks like California’s new privacy law may look a bit different when it goes into effect in January 2020 – if that timeline still holds.

So, what do you think?  Will California’s privacy law still hold as is?  Or will it be changed significantly?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Grants Defendant’s Motion to Compel Various Records from Plaintiff in “Slip and Fall” Case: eDiscovery Case Law

In Hinostroza v. Denny’s Inc., No.: 2:17–cv–02561–RFB–NJK (D. Nev. June 29, 2018), Nevada Magistrate Judge Nancy J. Koppe granted the defendant’s motion to compel discovery various sources of ESI related to the plaintiff’s claim of injuries resulting from a “slip and fall” accident at one of the defendant’s restaurants.

Case Background

In March 2018, the defendant requested various releases from Plaintiff to obtain documents regarding her employment, a prior car accident in 2015, and records from medical providers and the plaintiff provided some of the requested releases in the same month.  In April 2018, the parties met and conferred three times regarding the outstanding releases, as well as the plaintiff’s responses to the defendant’s amended second set of requests for production of documents. When the parties were unable to resolve their discovery disputes, the defendant filed the instant motion to compel the outstanding releases and responses to its requests.

Judge’s Ruling

Noting that the “burden is on the party resisting discovery to show why a discovery request should be denied by specifying in detail, as opposed to general and boilerplate objections, why ‘each request is irrelevant’”, Judge Koppe ruled on each of the following sources of ESI requested by the defendant:

  • Copies of any and all documents related to the 2015 car accident the plaintiff identified in your response to Defendant’s Interrogatory No. 18, as well as information regarding two slip and fall accidents in 2012 where the plaintiff was treated by an orthopedist and a neurologist: Judge Koppe said that “Medical records of injuries prior to an alleged accident are relevant to the issue of whether the injuries existed at the time of the accident and whether the accident caused or aggravated the injuries” and also noted that “police reports and insurance records are relevant because they likely contain statements, photographs, or other information ‘to confirm or refute [a plaintiff’s] allegation [he or she] was not injured’ in an accident”. Because “Courts within the Ninth Circuit have found that medical records and reports dating between three years to ten years prior to an alleged accident are discoverable”, Judge Koppe granted the defendant’s request for this information.
  • Copies of any text messages, emails, or other written communications between either the plaintiff or her counsel and several witnesses and a copy of all text messages or emails the plaintiff sent in the 48 hours after the Subject Accident: Noting that “Phone records are discoverable if the request is narrowly tailored in date and time and relates to a key issue in the case”, Judge Koppe granted in part this request.
  • Copies of any [of] the data of any type of FitBit, or other activity tracker device from five (5) years prior to the Subject Accident through the present: Noting that the plaintiff had waived objections that the request was overbroad and unduly burdensome because she did not raise these objections in her initial response to Defendant’s amended second set of requests for production, Judge Koppe ordered the plaintiff to “supplement her response to Defendant’s request for production number 30 to fully describe the search she conducted for responsive documents, by July 20, 2018.”
  • Copies or allow for inspection, any social media account the plaintiff had from five (5) years prior to the Subject Accident through the present: Noting that “information from social media is relevant to claims of emotional distress because social media activity, to an extent, is reflective of an individual’s contemporaneous emotions and mental state”, Judge Koppe found “that social media information and communications are relevant and, thus, discoverable under Fed.R.Civ.P. 26(b)” and granted the defendant’s request for that information.
  • Authorization for the release of the plaintiff’s employment records: Despite the fact that the plaintiff claimed she was no longer pursuing a lost wage claim, Judge Koppe noted that “an amended complaint reflecting Plaintiff’s new claims has not been filed” and also observed that “it appears that Plaintiff’s claims of “limited occupational … activities … [and] loss of earning capacity” remain in her complaint”, so she granted that defendant’s request as well.

So, what do you think?  Did the judge fail to take into account privacy concerns of the plaintiff or should relevancy override privacy concerns in this case?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

SCOTUS Says Warrantless Access of Cell Phone Locations Violates Fourth Amendment: eDiscovery Case Week

eDiscovery Case Week continues!  We’re catching up on cases leading up to our webcast tomorrow where Tom O’Connor and I will be talking about key eDiscovery case law for the first half of 2018.  With that in mind, this is a key case decision that happened when I was on a family vacation last month.  Did you miss it?  In case you did, here it is.

In Carpenter v. U.S., No. 16–402 (U.S. June 22, 2018), The United States Supreme Court (SCOTUS) held, in a 5–4 decision authored by Chief Justice Roberts, that the government violates the Fourth Amendment to the United States Constitution by accessing historical records containing the physical locations of cellphones without a search warrant.

In 2011, Timothy Carpenter was arrested on suspicion of participating in a string of armed robberies at RadioShack and T-Mobile stores in Michigan and Ohio. In the course of the investigation, FBI agents acquired transactional records from Carpenter’s cell phone carrier. The government sought this data pursuant to the Stored Communications Act of 1986, which allows law enforcement to obtain communications records by demonstrating “specific and articulable facts” that the records are relevant to an ongoing investigation, rather than probable cause that a crime has been committed. The trial court denied Carpenter’s motion to suppress the records, and a jury convicted him of firearms violations and violations of the Hobbs Act. On appeal, Carpenter maintained that the acquisition of his cellular data without a warrant violated his Fourth Amendment rights, but the Sixth Circuit held that such a seizure did not constitute a “search” under the Fourth Amendment.  Carpenter petitioned to have the case heard by SCOTUS, which heard arguments in November 2017.

The Court issued its decision on June 22, 2018, with the court split 5–4 to reverse and remand the decision by the lower courts. In a very lengthy ruling, Chief Justice Roberts wrote the majority opinion, with associate Justices Ginsburg, Breyer, Sotomayor, and Kagan joining Roberts’ opinion. The majority determined that the third-party doctrine applied to telephone communications in Smith v. Maryland could not be applied to cellphone technology and ruled that the government must obtain a warrant in order to access historical cellphone records. Roberts argued that technology “has afforded law enforcement a powerful new tool to carry out its important responsibilities. At the same time, this tool risks Government encroachment of the sort the Framers [of the US Constitution], after consulting the lessons of history, drafted the Fourth Amendment to prevent.”

Roberts also considered that “detailed, encyclopedic and effortlessly” tracking a person by cell towers was similar to that of using a Global Positioning System (GPS) tracking device as determined by United States v. Jones. Roberts stressed that the decision is a very narrow ruling; it does not affect other parts of the third-party doctrine, such as banking records, nor does it prevent collection of cell tower data without a warrant in emergencies or for national security issues.

Justices Kennedy, Thomas, Alito, and Gorsuch each wrote dissenting opinions.  Justice Alito wrote in his dissent:

“I share the Court’s concern about the effect of new technology on personal privacy, but I fear that today’s decision will do far more harm than good. The Court’s reasoning fractures two fundamental pillars of Fourth Amendment law, and in doing so, it guarantees a blizzard of litigation while threatening many legitimate and valuable investigative practices upon which law enforcement has rightfully come to rely.”

So, what do you think?  Does this ruling appropriately limit law enforcement use of private cell phone location data without a warrant or does it hamstring the ability for law enforcement to adequately investigate suspects?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

FTC Cracks Down on Privacy Shield Posers: Data Privacy Trends

Did you ever wonder what happens if a company falsely claims that they are certified compliant with either the EU-U.S. or Swiss-U.S. Privacy Shield framework?  Or falsely claims that they are in the process of being certified compliant?  Apparently, the Federal Trade Commission (FTC) gets on their case about it.

According to ACEDS (California Company Settles FTC Charges Related to Privacy Shield Participation), ReadyTech Corporation, a California company, has agreed to settle Federal Trade Commission allegations that it falsely claimed it was in the process of being certified as complying with the EU-U.S. Privacy Shield framework, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law (we covered details of the framework when it was introduced over two years ago).

“Today’s settlement demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield,” FTC Chairman Joe Simons commented. “We believe Privacy Shield is a critical tool for ensuring transatlantic data flows and protecting privacy that benefits both companies and consumers.”

According to the FTC’s complaint, the Commission alleges that ReadyTech, which provides online training services, falsely claimed on its website that it is “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield Framework.” While ReadyTech initiated an application to the U.S. Department of Commerce in October 2016, the company did not complete the steps necessary to participate in the Privacy Shield framework. The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the Privacy Shield.

The FTC alleges in its complaint that the company’s false claim that it is in the process of certification violates the FTC Act’s prohibition against deceptive acts or practices.

As part of the settlement, ReadyTech is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework. It also must comply with standard reporting and compliance requirements.

This is the FTC’s fourth case enforcing Privacy Shield. It continues the FTC’s commitment to enforcing international privacy frameworks, making a total of 47 cases enforcing the Privacy Shield, the predecessor Safe Harbor framework, and the Asia Pacific Economic Cooperation Cross Border Privacy Rules framework.

As you may or may not know, CloudNine is certified for both the EU-U.S. and EU-Swiss Privacy Shield Frameworks (so, yes, at CloudNine we are “certifiable”).  :o)  Periodically, you have to recertify – in fact, I just completed the recertification process for CloudNine a while back.  It’s good to know that somebody is checking up on companies to make sure that their claims of being privacy shield compliant are valid.

So, what do you think?  Is your organization privacy shield certified?  Are your providers certified?  Please share any comments you might have or if you’d like to know more about a particular topic.

P.S. — Happy Birthday, Kiley!  You’re now officially a teenager!  😮

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

In California, Data Privacy Foresight is 2020: Data Privacy Trends

2018 is certainly on its way to becoming the year of data privacy rights for the individual.  Barely over a month after the General Data Protection Regulation (GDPR) came into effect in the European Union, California has passed a new data privacy law which will give consumers the right to obtain data collected about them, the right to request deletion of the data, and the right to direct a business not to sell the information to third parties.

As reported by the ABA Journal, ARS Technica and Ride the Lightning (among other sites), the California Consumer Privacy Act of 2018 was approved unanimously by the state Senate and Assembly on June 28 and was signed by Gov. Jerry Brown.  The law is set to take effect on January 1, 2020 (which explains my “clever” blog title)… :o)

A legislative bill summary says the law will give Californians “the right to know what PI [personal information] is being collected about them and whether their PI is being sold and to whom; the right to access their PI; the right to delete PI collected from them; the right to opt-out or opt-in to the sale of their PI, depending on age of the consumer; and the right to equal service and price, even if they exercise such rights.”

The bill requires companies to disclose personal data collected when a consumer requests it, up to two times a year, and to delete and stop selling the personal information to third parties upon request.  It also prevents businesses from selling personal information about minors to third parties, unless the parent of a minor less than 13 affirmatively authorizes the sale, or the minor between the ages of 13 and 16 opts in to the sale.

A consumer whose data is hacked is entitled to recover statutory damages of up to $750 in a civil suit when companies fail maintain reasonable security procedures. However, consumers can’t sue unless they 1) first notify the business and the state attorney general, 2) the business doesn’t correct the problem in 30 days and 3) the state attorney general does not bar the suit.  A lot of contingencies and a small damage amount, though that number could add up if several consumers are involved and sue.  Also, intentional violations can bring civil penalties of up to $7,500 per violation.

The group Californians for Consumer Privacy had sponsored a ballot initiative and had gathered roughly 625,000 signatures to get the initiative on the ballot in November, but group chair and ballot question sponsor Alastair Mactaggart agreed to pull the question if the state passed the bill by June 28, the last day in which the question could be pulled from the ballot.

Will other states follow suit?  In 2018, the year of data privacy, I wouldn’t be surprised if they do and do so quickly.

So, what do you think?  Does this law go far enough in protecting data privacy rights of Californians?  Or does it fall short?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

GDPR is Here! Is Your Law Firm Fully Prepared for It? Maybe Not: Data Privacy Trends

Unless you live under a rock, you know that the deadline for compliance with Europe’s General Data Protection Regulation (GDPR) has come and gone (it was May 25 – almost three weeks ago now).  So, does that mean your law firm is fully ready for it?  Based on the results of one survey, the odds are more than 50-50 that they’re not.

In Legaltech® News (Not Just Corporate: Law Firms Too Are Struggling With GDPR Compliance, written by Rhys Dipshan), the author covers a recent Wolters Kluwer survey which was conducted among 74 medium (26-100 staff members) to large (100-plus) law firms.  The result?  Less than half (47 percent) feel fully prepared to address the new GDPR requirements.  Another 16 percent of respondents said they were somewhat prepared and more than a third (37 percent) had made no specific preparations.

Barry Ader, vice president of product management and marketing at Wolters Kluwer, noted that part of the reason why many law firms were unprepared for GDPR was because they thought there would be an extension to the deadline. “Many of the law firms kind of half expected that there would be a delay, and they wouldn’t have had to solve the problem by May 25,” he said.  Ader also noted that the lack of preparation was also a sign that “law firms just don’t have the necessary skills, people, and budget to figure out how to handle GDPR.”

Other notable results:

  • Fewer than half of respondents (43 percent) had assigned a Data Protection Officer, a requirement of many organizations under GDPR. However, nearly 60 percent had assigned an individual, team or outside consultant to lead GDPR compliance efforts. And, approximately 72 percent of those surveyed were also investing in cybersecurity solutions due to the new regulation.
  • With regard to employee training on security, the survey found that only 43 percent of law firms conducted security and privacy training annually, while 24 percent had done training in the past three years. An additional 15 percent said that while they did not currently train employees, they were planning to do so in the near future. Amazingly, 17 percent of respondents did not conduct training and had no plans to train at all.

If you’re a client of a law firm, you may want to check to see if your firm can demonstrate full preparedness for GDPR.  If you believe this survey, chances are greater that they can’t do so than they can.

So, what do you think?  Is your organization fully prepared for GDPR?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.