Posternak Blankstein & Lund LLP is now Arent Fox. Read the press release

Privacy Update: SCOTUS: Accessing Private Database for Improper Purpose Not Violation of Computer Fraud and Abuse Act.

Headlines that Matter for Privacy and Data Security

US News

SCOTUS: Accessing Private Database for Improper Purpose Not Violation of Computer Fraud and Abuse Act.

In a recent Supreme Court case, Van Buren v. United States, the Court narrowed the applicability of the Computer Fraud and Abuse Act. (CFAA). The Court determined that a police officer with permission to access a law enforcement database did not violate the statute when he obtained information from that database for an improper purpose, namely accepting $6,000 to look up whether someone was an undercover police officer. Rejecting the DOJ's argument that the 1984 statute's scope is "clear," the high court agreed that the CFAA's language allows prosecutors and private entities to pursue claims based on minor activities.

$500K SEC Settlement Reached Over Disclosure Failures 

The SEC has reached a roughly $500,000 settlement with a real estate settlement company regarding a cybersecurity defect that exposed personal financial information on over 800 million mortgage title insurance records. The SEC faulted the company for lacking disclosure protocols that should have alerted senior management to the problem and for ineffectively communicating the failure to senior management once aware. As part of the settlement, "the company consented to the entry of an order finding a violation of Rule 13a-15 of the Securities Exchange Act of 1934, which requires issuers of registered securities to maintain effective disclosure controls."

Attorneys, Be Specific and Communicative About Who Your Clients Are – Loss of Attorney-Client Privilege

Ex-Theranos CEO Elizabeth Holmes' recently lost her attorney-client privilege in a pretrial dispute over her communications with her attorney. Some are flagging this as "a cautionary tale" to corporate attorneys. Holmes argued in her briefs that the law firm began jointly representing her and Theranos in a 2011 intellectual property dispute. She said that over time their relationship "grew organically," with the law firm jointly advising Holmes and the company on a variety of topics through 2016, including in Holmes’ personal interactions with media. However, a U.S. Magistrate Judge ruled that Holmes had not shown that she made it clear to her attorneys that she was seeking legal advice in her personal capacity and not just as a company executive, thereby rendering the communications subject only to corporate privilege.

Ensure Consumers’ Private Information is Properly Secured - FTC and MoviePass Reach Settlement Regarding Data Security Failure  

The operators of the MoviePass subscription service settled Federal Trade Commission allegations that they took steps to prevent subscribers from using the service as advertised, and that they failed to secure subscribers’ personal data. The FTC alleged that despite language in MoviePass’s privacy policy to the contrary, the company stored consumers’ personal data, including names, email addresses, birth dates, credit card numbers, and geolocation data, in unencrypted plain text and failed to impose access restrictions. Thus, according to the FTC, MoviePass failed to take reasonable steps to secure its subscribers’ personal information.

Be Meticulous with Biometric Data Collection - Recent Pricy BIPA Lawsuits

Six Flags has agreed to pay $36 million to end a class action lawsuit accusing it of collecting customers’ biometric fingerprint data in violation of Illinois’ biometric privacy law. Meanwhile, a proposed $5 million class action accusing McDonald's of violating Illinois' Biometric Information Privacy Act by storing customers' voiceprints without their permission has been filed in federal court.  Both instances serve as good reminders to avoid the collection of biometric data unless absolutely necessary.

California Privacy Protection Agency Board's Inaugural Public Meeting

The passage of the California Privacy Rights Act (CPRA) established a new enforcement agency, the California Privacy Protection Agency (CPPA), which is the first agency in the country solely dedicated to privacy. The CPPA will implement and enforce the law, and has several responsibilities including rulemaking. The five-member board met for its inaugural meeting on June 14, 2021.  While the majority of the meeting covered administrative procedures and requirements for setting up a new agency, there were some helpful clarifications on timing. Draft regulations will be submitted by mid-May 2022 at the very latest to meet the July 2022 deadline for the CPRA regulations. Additionally, the CPPA is focused on quickly hiring an Executive Director and Chief Deputy Director of Administration. Candidates for the positions will be considered in a public meeting. The meeting materials for the inaugural meeting are available here.

New Nevada Internet Privacy Bill Signed by Governor

There is a new data broker law in Nevada, making it the third state to have a law addressing data brokers (in addition to California and Vermont). The text of the bill is here and bill history can be found here. The bill is set to take effect October 1, 2021. In particular, the bill provides for, among other things:

  1. prohibitions on data brokers from making any sale of certain information collected about a consumer if so directed by the consumer; 
  2. requirements for data brokers to establish a designated request address through which a consumer may submit a verified request to direct a data broker not to make any sale of any covered information about the consumer that the data broker has purchased or will purchase;
  3. requirements for data brokers to respond to such requests within 60 days of receipt;
  4. the possibility for a data broker who has not previously failed to comply with these provisions to remedy any failure to comply within 30 days after being informed of such a failure; and powers for the Attorney General to institute legal proceedings against a data broker believed have directly or indirectly violated the provisions of the bill.

Bose Added to List of High-Profile Companies Who Have Suffered Ransomware Attack

Bose discovered that using access to HR systems, attackers accessed current and former Bose employees’ personal data – specifically names, social security numbers, compensation information, and other HR-related information. In addition to providing free identity protection services to the affected individuals for 12 months, Bose implemented new and additional security measures to defend its systems and lessen the risk of future infiltration, including among others: (i) enhanced malware/ransomware protection on endpoints and servers; (ii) enhanced monitoring and logging to identify any future actions by the threat actor or similar types of attacks; and (iii) changing passwords for all end-users and privileged users. Similar efforts are required or soon will be by the scores of data protection statutes in force now or being debated in states and in the federal government, many of which grant rights to employees to seek relief should their data be exfiltrated from their employer.

CCPA Record-Keeping Obligations – Disclosures due July 1, 2021

Businesses that handle the personal information of 10,000,000 or more Californians are subject to additional record-keeping requirements under the CCPA Regulations. Per Section 999.317, subd. (g), businesses must disclose the following by July 1, 2021:

  • The number of requests to know that the business received, complied with in whole or in part, and denied;
  • The number of requests to delete that the business received, complied with in whole or in part, and denied;
  • The number of requests to opt-out that the business received, complied within whole or in part, and denied; and
  • The median or mean number of days within which the business substantively responded to requests to know, requests to delete, and requests to opt-out.

Augmented Reality Makeup Tools Serve as Foundation for BIPA Class Actions

Class action lawsuits have been filed in Illinois state court, alleging that cosmetics company, Mary Kay, and beauty retailer, Ulta, violated Illinois’ Biometric Information Privacy Act (“BIPA”). The complaints claim that Mary Kay and Ulta, two beauty brands, scanned and collected consumers’ geometric facial data without consent through the companies’ respective online augmented reality tools. While both websites host a privacy policy, BIPA requires very specific notice and consent procedures prior to collection. The two lawsuits allege that such consent was not obtained. This case serves as a good reminder to review collection practices tied to collection of biometric data for compliance with BIPA and similar standards.

EU News

New European Commission Standard Contractual Clauses Published

The European Commission published new standard contractual clauses between controllers and processors, which function as an annex that can be attached to commercial agreements. These EC Art. 28 SCCs became effective June 27, 2021. The new controller to processor EC Transfer SCCs incorporate GDPR compliant data processing terms, so when the controller to processor Transfer SCCs are used, EC Art. 28 SCCs (or any other form of additional data processing agreement) are not also required. Notably, the EC Art. 28 SCCs are optional.

Irish Data Protection Commission Publishes DPO Registration Guidelines

The Data Protection Commission ('DPC') recently released guidance on the DPO Register. In particular, the guidelines noted that all organizations that have appointed a data protection officer (DPO) pursuant to Article 37(1) General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) are required to notify the contact details of their DPO to the DPC, which maintains these details in the DPO Register. The guidelines also provided clarification on which organizations are required to appoint a DPO, how an organization should communication their DPO details with the DPC, and whether the DPC will notify organizations once their DPO is on the register.

France: CNIL Addresses Cookie Walls and Monetization of Personal Data

The French data protection authority ('CNIL') issued recent guidance on legal and ethical issues concerning cookie walls and the monetization of personal data. In particular, CNIL outlined that an emerging concept of data property rights, whereby individuals monetize their personal data and allow companies to exploit it in such a way that both companies and individuals can earn income from it, is contrary to the currently applicable law. With respect to cookie walls, CNIL noted that the requirement of free consent cannot justify a general ban on the practice of cookie walls and that the freedom of consent of individuals must be assessed on a case-by-case basis, taking into account the existence of a real and satisfactory alternative offered in the event of the refusal of cookies.

Netherlands Protection Authority Publishes Works Council’s Privacy Booklet for the Workplace

Dutch protection authority (AP) recently published the Works Council privacy booklet to the Social and Economic Council ('SER'). In particular, the AP noted that in support of the Works Council, the guide covers the following topics: (i) the right of consent; (ii) the definitions of personal data and of processing; (iii) important privacy rules from the GDPR and questions to ensure employers' plans are GDPR-proof; and (iv) assessment questions where an employer intends to use a personnel tracking system.

G7 Summit Highlights Importance of Privacy and Data Considerations

Of particular note, the G7 Summit held in June 2021 highlighted calls for the following:  (i) championing data free flow with trust; (ii) working to address the escalating shared threat from criminal ransomware networks; (iii) securing supply chains, and (iv) the continued need for respecting freedoms of speech and peoples' reasonable expectation of privacy.


China’s Data Security Law Passed

On June 10, 2021, China's National People’s Congress Standing Committee passed the third iteration of its Data Security Law ("DSL"). The DSL will take effect on September 1, 2021. Notably, this third revision of the DSL implements the following: (i) the concept of "national core data," noting that a "more stringent regulatory system" shall be implemented with respect to this data; (ii) heightened approval requirements and more stringent penalties for data requests by foreign judicial or law enforcement entities; and (iii) that state authorities are bound by the DSL in the same way as private parties. In addition, the final DSL imposes additional confidentiality requirements and considers elderly citizens’ needs in developing and improving “intelligent/smart public services.”


Continue Reading