Privacy & Cybersecurity

The FTC has announced (press release) that it is seeking public comment on a second verifiable consent method proposed under the Voluntary Commission Approval Process provision of the COPPA Rule. The proponent is Imperium, LLC (“Imperium”), a Connecticut-based technology services company.

As we learned this summer, online account usernames can be, well . . . somewhat embarrassing when made public. Here in California, however, that type of username or an email address, in combination with a password or security question and answer, could soon be considered personal information.

The Federal Trade Commission (“FTC”) recently entered into a settlement agreement with TRENDnet, Inc., a company that sells Internet Protocol (“IP”) cameras that allow customers to monitor their homes remotely over the Internet. 

After several months of work, the National Institute of Standards and Technology (NIST) has published a draft of the cybersecurity “Framework” it is developing in response to Executive Order 13636.

Two data privacy bills, Assembly Bill 370 and Senate Bill 568 have been sent to California Governor Jerry Brown for signature. As we previously reported, A.B. 370 would require commercial websites or online services that collect personally identifiable information to disclose how that site or service responds to “do not track” signals or similar mechanisms. 

If you use Facebook (and you likely do, if only to play some game that apparently involves crushing large amounts of candy), then you received an email last week informing you that Facebook is proposing changes to its Data Use Policy and Statement of Rights and Responsibilities. 

As we predicted, the California Senate has approved A.B. 370, a bill that would require commercial websites or online services that collect personally identifiable information to disclose how that site or service responds to “do not track” signals or similar mechanisms. 

As the summer winds down, we find that privacy and security issues remain at the top of mind for companies, hackers, and regulators alike.

Yesterday, the FTC published a Federal Register notice requesting public comment on the first new method for obtaining verifiable parental consent submitted for FTC approval by AssertID, Inc under the Voluntary Commission Approval Process provision of the COPPA Rule.

After a brief August hiatus, Privacy Monday is back with privacy goofs, gaffes and tidbits to start your week.

We've sounded warnings about the lowly copy machine before. The proliferation of digital devices in the workplace means that data security must extend beyond computer networks and laptops. Seemingly old fashioned equipment, such as copiers, can hide sensitive legally-protected data.

What did you do over your summer vacation? Yes, the sad truth is that summer is almost over. You can tell because there wasn’t a single superhero movie that opened at the box office last weekend (no, Smurfs2 does not count) and because the California Senate is preparing to reconvene from its summer recess.

Last week an Oregon jury awarded an individual plaintiff over $18 million in compensatory and punitive damages in what some sources have reported to be the first jury verdict in a case brought under the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681a(c). 

The California ballot measure process permits any California voter to propose a ballot initiative to the state’s Attorney General which, if enough signatures are gathered, will then appear on state-wide ballot for approval at the next election.

It appears that Wyndham Hotel & Resorts LLC (“Wyndham”) has received reinforcements in its defense against the Federal Trade Commission’s (the “FTC”) case. A federal judge has agreed to allow the U.S. Chamber of Commerce and several other organizations to file an amicus curiae brief in support of dismissing the FTC’s case against Wyndham.

Just before the Labor Day holiday, the Federal Trade Commission issued a press release announcing its complaint against LabMD, Inc., a company that performs medical testing for consumers around the country. The complaint alleges that the company did not take reasonable measures to protect the security of consumers’ personal data. 

The "hits" to data bases, in any event. Here is a rundown of some of the most recent data breach reports --
Oregon Health & Science University Data Breach Compromises 3,000 Patients’ Records in the Cloud.

Ever since our 2013 prediction, an ever increasing number of public companies are adding disclosure related to cybersecurity and data breach risks to their public filings. We previously analyzed how the nation’s largest banks have begun disclosing their cybersecurity risks. 

Aiming to “address the real privacy and security risks that consumers face when telecommunications carriers use their control of customers’ mobile devices to collect information about their customers’ use of the network,” the Federal Communications Commission (FCC) has adopted a Declaratory Ruling holding that the existing rules requiring carriers to protect customer proprietary network information (CPNI) apply to CPNI collected by mobile devices when such collection is undertaken at the carrier’s direction and the carrier has access to or control over that information.

The latest in a series of National Institute of Standards and Technology (“NIST”) publications is the Guidelines for Managing the Security of Mobile Devices in the Enterprise (the “Guidelines”), a comprehensive document to help federal agencies manage and secure mobile devices such as smart phones and tablets used by their employees for government business (whether organization-provided or personally-owned) against a variety of threats.