Category Archives: Data Privacy

Regulators and Plaintiffs Aren’t Waiting for Privacy Legislation: Companies Face Potential Liability Now and Can Take Steps to Reduce Risks

by

Momentum is building in Congress for federal privacy legislation and several states have their own privacy laws in the works.  But, as concerns grow that companies are collecting and sharing personal information about U.S. residents without their knowledge and not adequately protecting that data, regulators and plaintiffs aren’t waiting for new laws.  Instead, they are refitting existing laws to meet their data privacy and security objectives. Continue reading

GDPR: What Happened To One-Stop-Shop Enforcement?

by Professor Lokke Moerel[1]

One-Stop-Shop

Companies will only have to deal with one single supervisory authority, not 28, making it simpler and cheaper for companies to do business in the EU.”

European Commission, at the time of the adoption of the GDPR

At the time of the adoption of the European General Data Protection Regulation (GDPR), the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism (1SS), whereby in respect to controllers or processors with multiple establishments in the EU, the supervisory authority (SA) of the ‘main establishment’ of such controller or processor in the EU will serve as the ‘lead SA’ for its ‘cross-border processing’ activities.

In the first landmark enforcement decision under the GDPR, the French SA (CNIL) fined Google 50 million euros (the highest fine so far), despite the fact that the complaints (PDF: 1.03 MB) concerned a cross-border processing in the EU, which calls for 1SS enforcement. The CNIL considered that although Google has its EU headquarters in Ireland, this Irish entity ‘did not have a decision-making power’ in relation to the purposes and means of the relevant cross-border data processing activities. For that reason, the CNIL decided that the 1SS mechanism did not apply and that the CNIL was therefore competent to make a decision.[2]

This is noteworthy, as apparently the main complainant[3] filed similar complaints against Instagram, Facebook, and WhatsApp with the SAs of Austria, Belgium, and Germany, which all passed the complaints to the Irish SA (as the ‘lead SA’), as these companies have their EU headquarters in Ireland. Continue reading

Does the California Consumer Privacy Act Empower the Consumer and Generate Trust?

by Lynn Haaland

The California Consumer Privacy Act (CCPA) is an important development for companies doing business in California, that have revenues above a minimal threshold – which effectively means that the act will impact many of the largest companies doing business in the United States.  On Monday, February 25, 2019, Senate Majority Leader Hertzberg, who represents the eastern San Fernando Valley senate district and who was recently selected as Senate Majority Leader, addressed a group in downtown San Francisco about the CCPA.[1]  Senator Hertzberg, along with California State Assembly member Ed Chau, were the primary architects of the CCPA.  For this reason, Senator Hertzberg’s comments about the CCPA are worth paying attention to. Continue reading

The Non-Data-Sharing Data-Sharing Network: One Anti-Money Laundering Innovation Requires a Closer Look

by Allison Caffarone

Financial authorities worldwide are focused on how new technologies can be used to more effectively combat money laundering and financial crime.  The UK’s Financial Conduct Authority (the “FCA”) is one of the leaders in the movement towards using financial technology (FinTech)[1] and regulatory technology (RegTech)[2] to fight money laundering.  In the FCA’s most recent conference on this issue, which was attended by over 100 technology firms, regulators, and law enforcement agencies from the US, Europe, the Middle East, and Asia, participants were tasked with developing proposals to address fifteen problem statements relating to how new technologies can more effectively combat money laundering and financial crime.  This article addresses one of the proposals that received significant attention during and subsequent to the conference.

The proposal, offered by a team from Santander Bank and others, called for financial institutions to use distributed ledger technology to develop a database of “bad actors” without requiring the institutions to share the underlying transactional data that led to the “bad actor” designation.  The goal for the database was to create a money laundering detection network to benefit all financial institutions in the ecosphere without running afoul of data privacy restrictions. This “Catch the Chameleon” proposal won the “Eureka” award at the conference for the “most original idea” and, according to the FCA website, will receive “support to progress” from Level 39, RegTech Associates and The Disruption House.  Following the conference, the proposal continued to receive attention from other major financial institutions.  For example, Credit Suisse highlighted the proposal in its letter (PDF: 338 KB) responding to FINRA’s request for comment on FinTech innovation,[3] deeming the proposal worthy of exploration. 

There is clearly merit behind the “Catch the Chameleon” proposal.  Data and information sharing between the private and public sectors and among and between the different institutions in the private sector is essential to combat money laundering.  Additionally, the use of distributed ledger technology to help facilitate the sharing of such information seems to have significant benefits, such as requiring relatively low implementation costs and allowing enforcement agencies to access a single source of data for all financial institutions in real time.[4]  However, there are at least three significant dangers of the platform or database as described on the FCA website, and in light of the heightened attention this proposal has received, these concerns are worthy of further discussion and exploration. Continue reading

Cyber Monitoring Employees Part 2 – Insider Threats Continue After Employees Leave

By

We recently wrote about companies monitoring employees to reduce cybersecurity risks.  Those insider threat risks do not end when employees leave the company.  Sensitive company data in the hands of a disgruntled former employee is obviously a potential risk, but so is unauthorized access to confidential company information by a former employee acting in good faith.  Companies must therefore take steps to protect their data from walking out the door with exiting employees. Continue reading

The Rise of Cyber Negligence Claims: Plaintiffs Find Receptive Judges by Going Back to Basics

By Avi Gesser and David Robles

New cyber regulations, such as the California Consumer Privacy Act, have companies concerned about expanding potential liability.  Companies fear that private rights of action are being created that will allow consumers to sue by alleging that the companies failed to protect their personal information.  But attention should also be paid to plaintiffs’ recent successes in applying existing legal frameworks—such as basic tort law—to cyber cases.  We have previously written about the use of state consumer protection acts to recover in data breach cases.  Recently, plaintiffs have also made some significant inroads in bringing negligence actions against companies that have experienced cyber events.

On January 28, 2019, the U.S. District Court for the Northern District of Georgia issued a decision in the Equifax Consolidated Consumer Class Action, allowing the consumers’ negligence claims against Equifax to move forward.  Judge Thrash found that the consumers had sufficiently alleged injuries resulting from the breach, pointing to the “unauthorized charges on their payment cards as a result of the Data Breach” as actual, concrete injuries that are legally cognizable under Georgia law.  The Court rejected Equifax’s arguments that the consumer’s injuries should be attributed to the hackers and could have been caused by data breaches at other companies.  The Court noted that allowing companies “to rely on other data breaches to defeat a causal connection would ‘create a perverse incentive for companies: so long as enough data breaches take place, individual companies will never be found liable.’”  Critically, the Court found that, given the foreseeable risk of a data breach, Equifax owed consumers an independent legal duty of care to take reasonable measures to safeguard their personal information in Equifax’s custody.  In doing so, the Court found that the economic loss doctrine was not a bar to the consumers’ recovery because Equifax owed an independent duty to safeguard personal information. Continue reading

Alternative Data Goes Mainstream, and Gets Increased Attention from Regulators

by Avi Gesser, Eric McLaughlin, Clara Y. Kim, and Sumeet Sanjeev Shroff

In the last few years, we have seen a dramatic increase in the purchase and sale of alternative data—a shorthand for big data sets, such as satellite images of parking lots, drug approvals, credit card purchases, cellphone data on retail foot traffic, and construction permits. According to alternativedata.org, the alternative data industry is projected to be worth $350 million in 2020. The recent announcement by Bloomberg LP that it is offering a product that will give clients access to large volumes of alternative data shows the widespread use of this information in making investment decisions, which is causing hedge fund managers and institutional investors to seek even more untapped alpha-generating data sets.  Not surprisingly, all this activity is attracting increased regulatory scrutiny. Continue reading

Microchipping Employees and Biometric Privacy Laws – It’s Time To Start Paying Attention

By Avi Gesser, David Popkin, and Michael Washington

Until recently, biometric privacy was a niche area of the law that had little application to most companies.  But with the rapid growth in commercial biometric data collection, including voice samples, fingerprints, retina scans, and facial geometry, as well as some recent developments in the applicable case law, it’s probably time for companies to start paying attention.  Indeed, one of our top privacy law predictions for 2019 was a judicial expansion of the notion of harm, which happened quicker than we anticipated in the context of gathering biometric data.

On January 25, 2019, the Illinois Supreme Court decided Rosenbach v. Six Flags Entertainment Corporation, 2019 IL 123186 (PDF: 61.7 KB), unanimously finding that plaintiffs could bring a private cause of action for violations of the notice and consent requirements of the state’s biometric privacy law without any showing of harm.  In Six Flags, a mother sued the owner of a theme park on behalf of her teenaged son after he was fingerprinted in connection with the purchase of a season pass to the park.  Neither the son nor the mother consented in writing to the taking of the fingerprint or signed any written release. Further, the park did not provide any documentation about their retention schedule or guidelines for retaining and then destroying the data.  The court found that individuals possess a right to privacy in and control over their biometric identifiers. Continue reading

State-Level Actors on the Frontlines of U.S. Cybersecurity and Data Privacy Regulation and Enforcement

by John F. Savarese, Marshall L. Miller, and Jeohn Salone Favors

While the General Data Protection Regulation (GDPR) significantly expanded the powers of European national data protection authorities in 2018, legislative and enforcement developments in the United States over the last year showcased the growing role and importance of state attorneys general and other state regulators in the realm of cybersecurity and data privacy.

In 2018, California passed a data privacy law akin to the GDPR and enacted legislation addressing internet-based bot activity and security of devices connected to the Internet of Things.  With passage of legislation in Alabama in March 2018, all 50 states now have data breach notification laws, with requirements as to notification content, timing, and recipients varying across jurisdictions.  And prescriptive cybersecurity regulations promulgated by New York State’s Department of Financial Services continued to take effect in rolling fashion.  Absent preemptive legislation at the federal level, where proposals are stalled in Congress, we can expect data protection and privacy laws and regulations to proliferate at the state level, as state legislatures and regulators vie for the mantle of lead cybersecurity enforcer. Continue reading

Fintech in 2019: Five Trends to Watch

by Steven Gatti, David Adams, Peter Chapman, Laura Nixon, Paul Landless, Jack Hardman, and Brian Harley

Technology continues to have an enormous impact on financial services and the pace of change shows no signs of abating. Following the bold predictions we made last year, we highlight the five stand-out trends for fintech in 2019.

1. CRYPTO CRACKDOWN

There has been massive growth in the market for cryptoassets such as Bitcoin and tokens issued in initial coin offerings (ICOs), but market participants have faced uncertainty as to whether cryptoassets may be regulated financial products (and subject to scrutiny by regulatory authorities). Enforcement investigations globally have largely focused on issues of fraud, but now, there’s a renewed focus on guarding the regulatory perimeter (i.e. ensuring businesses carrying on regulated activities have the appropriate authorisation) .  Disputes and enforcement cases are arriving in courts across the globe.

What’s next?

Continue reading