Consumer Protection Archives - Page 11 of 24

Consumer Protection

In with the New: 2015 Privacy, Advertising and Digital Media Predictions – Part II

by McDermott Will & Emery | Jan 14, 2015 | Consumer Protection, Cybersecurity, Data Privacy, General Interest, Social Media

More predictions about privacy, advertising and digital media trends making headlines in 2015 from Of Digital Interest editor Bridget O’Connell and predictions from our London office by Rob Lister:

Employee Social Media Accounts Garner Increased Attention
by Bridget K. O’Connell, Associate

In 2015, I predict an increased focus on employees’ rights regarding their personal social media accounts. Since 2012, individual states have enacted laws prohibiting employers from requesting access to their employees’ (or job applicants’) personal social media accounts. In 2014 alone, six states enacted such laws, bringing the total number of states with this type of legislation to 18. (Click here for additional analysis of the impact of these laws on employers.)

In addition to individual states’ laws, I expect clarification on a national level regarding employer policies and actions related to employees’ personal social media accounts. In the past year, the National Labor Relations Board (NLRB) has started to focus on whether employer policies regarding employee social media accounts are consistent with the National Labor Relations Act (“Act”). The Act prohibits employers from interfering with employees who come together to discuss their employment for the purpose of collective bargaining or other mutual aid or protection. According to the NLRB, employees’ comments on their personal social media accounts can constitute protected activity under the Act. One recent NLRB case involved two employees who posted on their Facebook accounts about the employers’ alleged failure to correctly withhold taxes from their paychecks. The employer terminated the employees because of their comments on their personal social media accounts. The NLRB found that the employee’s comments were protected under the Act, ordered the employer to reinstate the employees, and ordered the employer to clarify its social media policy. The employer is now appealing the NLRB’s determination in court.

I predict not only that more states will enact employee social media account legislation, but also that the NLRB and the courts will provide more guidance on employer restrictions or sanctions related to employee social media use.

Cybersecurity Predictions from London
by Rob Lister, Associate

With fines for security breaches expected to rise dramatically under the proposed Data Protection Regulation and recent cybercrime/cyberterrorism looking to be an increasingly effective and efficient weapon across all industry sectors, we can expect companies to pay more attention to how they protect their personal data. In addition, we can expect to see more frequent and sophisticated attacks with a view to exposing personal data (or at least holding it for ransom), requiring increased security measures as a matter of course. We may also see increased difficulty in obtaining insurance coverage protecting against such attacks unless companies implement specific risk controls.

In with the New: 2015 Privacy, Advertising and Digital Media Predictions – Part I

by Jennifer S. Geetter | Jan 7, 2015 | Big Data, Consumer Protection, Data Privacy, General Interest, Mobile Apps

What privacy, advertising and digital media trends will make headlines in 2015? Digital Health for one, Big Data for another.

Digital Health

The 2015 International Consumer Electronics Show (CES) started yesterday. Sessions like “Sensibles: The Smarter Side of Wearables” and “DIY Health: Consumer Accessible Innovation” suggest that the consumer health issues explored by the Federal Trade Commission (FTC) last Spring (see our blog post here) are increasingly relevant. Most notably, as more health-related information becomes digital, digital health businesses will need to revisit long-standing privacy, intellectual property protection, notice and consent practices that may not be well-suited to the more sensitive category of consumer-generated health information (CHI) (i.e., health-related information that consumers submit to or through mobile apps and devices). In many cases, the law is underdeveloped and businesses must develop and implement their own best practices to demonstrate good faith as stewards of CHI.

We predict that CHI and the issues raised by its collection, use, disclosure and storage will stay on the FTC’s radar during 2015. Perhaps the FTC will offer some insight about its position on CHI through guidance or regulatory activity related to a digital health business.

With mobile devices proliferating, the volume, versatility and variety of consumer-generated data, including CHI, also is proliferating. CHI typically stands outside of HIPAA’s regulatory silo. HIPAA regulates health plans, health care clearinghouses, health care providers who engage in standardized transactions with health plans and the business associates that assist health plans, clearinghouses and providers, and need protected health information to provide that assistance. Mobile medical services and environments, however, typically fall outside of this framework: most mobile apps, for example, are used directly by consumers, and often at the direction of and under the control of plans and providers. HIPAA may have, however, more reach into the growing business-to-business mobile app sector.

But, in the CHI arena, the sources of privacy and security regulation are murky. Among likely hot topics in 2015 are:

When is consumer-generated information also consumer-generated health information?
Can data ever be “de-identified” or made anonymous in light of the so-called mosaic (or pointillist) effect?
What role can the “pay with data” model play in consumer protection?
Is all CHI deserving of the same level of protection?
What sources of oversight exist and are they sufficient?

The news is ripe with references to data “privacy” and data “security,” but the sensitivity associated with health information requires thinking about data “stewardship” – a broader concept that encompasses not only privacy and security but also data asset management and data governance. Data stewardship captures not only data as an asset, but also as an opportunity to earn public trust and confidence while preserving innovation.

We predict that how to be good data stewards will be a critical issue for digital health businesses in 2015 and that forward-looking and transparent efforts at self-policing will be key to not only avoiding regulatory scrutiny but also fostering consumer trust.

Big Data

Big Data was big news [...]

Continue Reading

Just in Time for the Holidays: Another HIPAA Settlement

by Edward G. Zacharias | Dec 12, 2014 | Consumer Protection, Cybersecurity, Data Privacy

Following an Office for Civil Rights investigation, Anchorage Community Mental Health Services, Inc., agreed to pay $150,000 and comply with a two-year Corrective Action Plan to settle allegations that it violated the HIPAA Security Rule. This settlement is another reminder that covered entities and business associates should take the necessary steps to ensure compliance with HIPAA and to reasonably and appropriately safeguard the electronic protected health information in their possession.

Read the full article.

Privacy and Data Protection: 2014 Year in Review

by Daniel F. Gottlieb | Dec 11, 2014 | Advertising & Marketing, Big Data, Cloud, Consumer Protection, Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Ecommerce, Electronic Contracting, Email/Spam, General Interest, Mobile Apps, Promotions, Sweepstakes & Contests, Social Media, Text Messaging, Workplace Privacy

In 2014, regulators around the globe issued guidelines, legislation and penalties in an effort to enhance security and control within the ever-shifting field of privacy and data protection. The Federal Trade Commission confirmed its expanded reach in the United States, and Canada’s far-reaching anti-spam legislation takes full effect imminently. As European authorities grappled with the draft data protection regulation and the “right to be forgotten,” the African Union adopted the Convention on Cybersecurity and Personal Data, and China improved the security of individuals’ information in several key areas. Meanwhile, Latin America’s patchwork of data privacy laws continues to evolve as foreign business increases.

This report furnishes in-house counsel and others responsible for privacy and data protection with an overview of key action points based on these and other 2014 developments, along with advance notice of potential trends in 2015. McDermott will continue to report on future updates, so check back with us regularly.

Read the full report here.

Is There an End in Sight for EU Data Protection Reform?

by McDermott Will & Emery | Dec 2, 2014 | Big Data, Consumer Protection, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, General Interest

On 5 November 2014, Peter Hustinx, the European Data Protection Supervisor (EDPS), together with Germany’s Federal Data Protection Commissioner, Andrea Voβhoff, held a panel discussion in respect of the state of play and perspectives on EU data protection reform.

Although participants identified a number of key outstanding issues to be resolved prior to the conclusion of the reform process, there was some optimism that such issues could be overcome, and the process completed, before the end of 2015.

Background

The EDPS is an independent supervisory authority whose members are elected by the European Parliament and the Council in order to protect personal information and privacy, in addition to promoting and supervising data protection in the European Union’s institutions and bodies. The role of the EDPS includes inter alia advising on privacy legislation and policies to the European Commission, the European Parliament and the Council and working with other data protection authorities (DPA) to promote consistent data protection throughout Europe.

The proposed data protection regulation is intended to replace the 1995 Data Protection Directive (95/46/EC) (the Directive) and aims not only to give individuals more control over their personal data, but also make it easier for companies to work across borders by harmonising laws between all EU Member States. The European Parliament and the Civil Liberties, Justice and Home Affairs (LIBE) Committee have driven the progress on new data protection laws, but there has been frustration aimed at the Council of Ministers for their slow progress. Following the vote by the European Parliament in March 2014 in favour of the new data protection laws, the next steps include the full Ordinary Legislative Procedure (co-decision procedure), which requires the European Parliament and the Council to reach agreement together.

The panel discussion attendees were made up of institutional representatives and key figures involved in the EU Data Protection Reform Package, including: Stefano Mura (Head of the Department for International Affairs at Italy’s Ministry of Justice); Jan Albrecht MEP (Vice-Chair and Rapporteur of the European Parliament LIBE Committee); and Isabelle Falque-Pierrotin (President of CNIL and Chair of the Article 29 Working Party). The purpose of the panel discussion was to consider the outstanding issues and next steps to finalise proposals on EU data protection reform, particularly in the context of the recent CJEU rulings on data retention and the right to be forgotten.

Key Messages

The key points raised during the panel discussion included:

There is optimism that the reform process will be completed in the next year subject to resolving outstanding issues, such as:
- Whether public authority processing should be included in the proposed data protection regulation – Andrea Voshoff commented that this issue was being considered by the Council of Ministers Committee in relation to the introduction of a clause preventing the lowering of standards by national laws. Stefano Mura added that while there is a desire for both a uniform approach between the EU Member States and a right for Member States to regulate their own public sectors, a [...]
  
  Continue Reading

When Seeking Cyber Coverage, Preparation is Key

by Joshua D. Rogaczewski | Nov 26, 2014 | Consumer Protection, Cybersecurity, Data Privacy

In 2014, major data breaches were reported at retailers, restaurants, online marketplaces, software companies, financial institutions and a government agency, among others. According to the nonprofit Privacy Rights Clearinghouse, 567 million records have been compromised since 2006. Companies with data at risk should consider purchasing so-called cybersecurity insurance to help them weather storms created by assaults on their information infrastructure. A company’s insurance broker and insurance lawyer can be of significant help in procuring insurance that meets a company’s need.

As an additional benefit, preparation for the cybersecurity insurance underwriting process itself likely will decrease the risk of a debilitating cyber incident. The underwriting process for cybersecurity insurance is focused on the system that a company employs to protect its sensitive data, and can be detailed and exhaustive. Like other insurance carriers, cybersecurity insurance carriers use the underwriting process to investigate prospective policyholders and ascertain the risks the carriers are being asked to insure. Before applying for cybersecurity insurance, companies should perform due diligence on their information systems and correct as many potential risks as possible before entering the underwriting process.

Applicants for cybersecurity insurance may expect to answer questions about prior data breaches, information-technology vendors, antivirus and security protocols, and the species of data in their custody. Carriers might also ask about “continuity plans” for the business, the company’s security or privacy policies, whether those policies are the product of competent legal advice, whether the company’s networks can be accessed remotely and, if so, what security measures are in place. The investigation might even extend to a company’s employment practices, such as password maintenance and whether departing employees’ network access is cancelled prior to termination. If a company has custody of private health information, carriers might delve into a company’s compliance with the Health Insurance Portability and Accountability Act of 1996. Anything that makes a company more or less at risk for a data breach is fair game in the cybersecurity underwriting process.

Due diligence and corrective action prior to approaching an insurance company should yield three related results. First, it should reduce the company’s risk of a data breach. Because the insurance carriers are focused on what makes a company a larger or smaller risk to underwrite, companies can use carriers’ underwriting questions as a roadmap to improving the security of their information-technology systems. Second, it should make the company more attractive to the prospective insurance company. Insurance companies obviously prefer policyholders that do not present substantial risk of claims. A company’s ability to present its systems as safe and secure will give a carrier a greater degree of comfort in reviewing and approving the application for insurance. Finally, it should reduce the company’s premium for cybersecurity insurance. Premium rates have a simple, direct relationship with risk. As a policyholder’s risk profile increases, so too does the premium. Shoring up gaps in a company’s security profile therefore should pay dividends in lower insurance costs.

Companies with sensitive data in their care should investigate options for cybersecurity insurance. In [...]

Continue Reading

California Continues to Lead with New Legislation Impacting Privacy and Security

by McDermott Will & Emery and Kate Hammond | Oct 13, 2014 | Consumer Protection, Cybersecurity, Data Privacy, Social Media

At the end of September, California Governor Edmund G. Brown, Jr. approved six bills designed to enhance and expand California’s privacy laws. These new laws are scheduled to take effect in 2015 and 2016. It will be important to be mindful of these new laws and their respective requirements when dealing with personal information and when responding to data breaches.

Expansion of Protection for California Residents’ Personal Information – AB 1710

Under current law, any business that owns or licenses certain personal information about a California resident must implement reasonable security measures to protect the information and, in the event of a data or system breach, must notify affected persons. See Cal. Civil Code §§ 1798.81.5-1798.83. Current law also prohibits individuals and entities from posting, displaying, or printing an individual’s social security number, or requiring individuals to use or transmit their social security number, unless certain requirements are met. See Cal. Civil Code § 1798.85.

The bill makes three notable changes to these laws. First, in addition to businesses that own and license personal information, businesses that maintain personal information must comply with the law’s security and notification requirements. Second, in the event of a security breach, businesses now must not only notify affected persons, but also provide “appropriate identity theft prevention and mitigation services” to the affected persons at no cost for at least 12 months, if the breach exposed or may have exposed specified personal information. Third, in addition to the current restrictions on the use of social security numbers, individuals and entities now also may not sell, advertise to sell, or offer to sell any individual’s social security number.

Expansion of Constructive Invasion of Privacy Liability – AB 2306

Under current law, a person can be liable for constructive invasion of privacy if the person uses a visual or auditory enhancing device and attempts to capture any type of visual image, sound recording, or other physical impression of the person in a personal or familial activity under circumstances in which the person had a reasonable expectation of privacy. See Cal. Civil Code § 1708.8.

The bill expands the reach of the current law by removing the limitation requiring the use of a “visual or auditory enhancing device” and imposing liability if the person uses any device to capture a visual image, sound recording, or other physical impression of a person in a personal or familial activity under circumstances in which the person had a reasonable expectation of privacy.

The law will also continue to impose liability on those who acquire the image, sound recording, or physical impression of the other person, knowing that it was unlawfully obtained. Those found liable under the law may be subject to treble damages, punitive damages, disgorgement of profits and civil fines.

Protection of Personal Images and Videos (“Revenge Porn” Liability)– AB 2643

Assembly Bill 2643 creates a private right of action against a person who intentionally distributes by any means, without consent, material that exposes a person’s intimate body parts or the [...]

Continue Reading

Be Careful Who You Hire To Make Those Calls! Ninth Circuit Takes Expansive View of Vicarious Liability under the TCPA

by McDermott Will & Emery | Oct 1, 2014 | Advertising & Marketing, Consumer Protection, General Interest, Text Messaging

A recent ruling by the Ninth Circuit took an expansive view of vicarious liability under the Telephone Consumer Protection Act (TCPA). Reversing the district court’s grant of summary judgment, the court in Gomez v. Campbell held that a marketing consultant could be held liable for text messages sent in violation of the TCPA, even though the marketing consultant itself had not sent the texts and even though the texts were sent on behalf of the marketing consultant’s client, not the consultant itself.

Among other things, the TCPA prohibits (with certain exceptions) the use of automatic telephone dialing systems in making calls to cellphones. Both the Federal Communications Commission (FCC) and the courts have interpreted this provision to bar the use of automated systems to send unsolicited texts to cellphones. In Gomez, the Campbell-Ewald Company had been hired by the Navy to conduct a multimedia recruiting campaign. Campbell-Ewald had then outsourced the text-messaging component of the campaign to a third party, Mindmatics. Mindmatics then allegedly sent text messages to the plaintiff and others who had not given consent.

On appeal, Campbell-Ewald raised two variations of the arguments that it should not be held liable for texts that it had not itself sent. First, Campbell-Ewald argued that it did not “make” or “initiate” any calls under the TCPA because Mindmatics had sent the texts. As the statue only provides for liability for those that “make” or “initiate” prohibited calls, Campbell-Ewald argued that it could not be held liable. Second, addressing another potential avenue of liability, Campbell-Ewald noted that the FCC had interpreted the TCPA to allow for liability against those “on whose behalf” unsolicited calls are made. But, Campbell-Ewald argued, it could not be held liable on this ground either because the texts had been sent on behalf of its client, the Navy, not Campbell-Ewald.

In the end, the Ninth Circuit sidestepped both these arguments and found Campbell-Ewald potentially liable on a third basis, “ordinary tort-related vicarious liability rules.” The court noted that where a statute is silent on vicarious liability—as the court judged the TCPA to be—traditional common law standards of vicarious liability apply. Thus, the court held, Campbell-Ewald could be liable under the TCPA based on the agency relationship between Campbell-Ewald and Mindmatics. The court further noted that FCC had stated that the TCPA imposes liability “under federal common law principles of agency,” and held that the FCC’s interpretation was entitled to deference.

Finally, the court noted that it made little sense to subject both the actual sender and the ultimate client to liability, while absolving the middleman marketing consultant, noting, “a merchant presumably hires a consultant in party due to its experience in marketing norms.”

The decision reinforces the importance for companies to closely monitor anyone sending texts or placing calls on their behalf or at their direction. Following Gomez, it is clear that any company that had a role in sending unsolicited calls or texts can potentially be held liable under the TCPA; and the company with the [...]

Continue Reading

Article 29 Working Party Discusses the Right to be Forgotten

by McDermott Will & Emery | Sep 30, 2014 | Consumer Protection, Data Privacy

On 18 September 2014, the European Union’s Article 29 Data Protection Working Party published a press release outlining its recent plenary session discussions on the so-called “right to be forgotten” or “de-listed.”

The Working Party identifies that search engines, as data controllers, are under an obligation to acknowledge requests to be de-listed and establishes amongst European data protection authorities a “tool box” for ensuring a common approach to complaints handling in the case of refusals to de-list.

Background

The Working Party, made up of EU member state national data protection authorities, is an independent advisory body on data protection and privacy, set up under Article 29 of the Data Protection Directive (95/46/EC) (DPD) in order to contribute to the DPD’s uniform application.

The purpose of its latest plenary session held on 16 and 17 September 2014 was to discuss the aftermath of the European Court of Justice’s (ECJ) May 2014 ruling which recognised an EU citizen’s right to have the results of searches conducted against their name and containing their personal information removed where such information was inaccurate, inadequate, irrelevant or excessive for the purposes of data processing.

Key Messages

The Working Party has acknowledged that there is high public demand for the right to be forgotten, based on the number of complaints received by European data protection authorities relating to refusals by search engines to de-list since the ECJ ruling.

The Working Party has agreed that there is a need for a uniform approach to the handling of de-listing complaints. As such the Working Party has proposed that:

It is necessary to put in place a network of dedicated contact persons within European data protection authorities to develop common case-handling criteria; and
Such a network will provide data protection authorities with a record of decisions taken on complaints and a dashboard to assist in reviewing similar, new or more difficult cases.

Going forwards the Working Party also confirmed that it will continue to review how search engines comply with the ECJ’s ruling, having already held a consultation process with search engines and media companies over the summer.

GPEN Publishes Privacy Sweep Results

by McDermott Will & Emery | Sep 29, 2014 | Cloud, Consumer Protection, Data Privacy, Mobile Apps, Social Media

On 10 September 2014, the Global Privacy Enforcement Network (GPEN) published the results of its privacy enforcement survey or “sweep” carried out earlier in 2014 with respect to popular mobile apps. The results of the sweep are likely to lead to future initiatives by data protection authorities to protect personal information submitted to mobile apps.

The purpose of the sweep was to determine the transparency of the privacy practices of some 1,211 mobile apps and involved the participation of 26 data protection authorities across the globe. The results of the sweep suggest that a high proportion of the apps downloaded did not sufficiently explain how consumers’ personal information would be collected and used.

Background

GPEN was established in 2010 on the recommendation of the Organisation for Economic Co-operation and Development. GPEN aims to create cooperation between data protection regulators and authorities throughout the world in order to strengthen personal privacy globally. GPEN is currently made up of 51 data protection authorities across some 39 jurisdictions.

Over the course of a week in May 2014, GPEN’s “sweepers” – made up of 26 data protection authorities across 19 jurisdictions, including the UK Information Commissioner’s Office (ICO) – participated in the survey by downloading and briefly interacting with the most popular apps released by developers in their respective jurisdictions, in an attempt to recreate a typical consumer’s experience. In particular GPEN intended the sweep to increase public and commercial awareness of data protection rights and responsibilities as well as identify specific high-level issues which may become the focus of future enforcement actions and initiatives.

Sweep Results

The key negative findings of GPEN sweep include:

85 percent of apps failed to clearly explain how personal information would be processed.
59 percent of apps did not clearly indicate basic privacy information (with 11 percent failing to include any privacy information whatsoever).
31 percent of apps were excessive in their permission requests to access personal information.
43 percent of the apps had not sufficiently tailored their privacy communications for the mobile app platform – often instead relying on full version privacy policies found on websites.

However, the sweep results also highlighted a number of examples of best practices for app developers, including:

Many apps provided clear, easy-to-read and concise explanations about exactly what information would be collected, how and when it would be used and, in some instances, explained specifically and clearly what would not be done with the information collected.
Some apps provided links to the privacy policies of their advertising partners and opt-out elections in respect of analytic devices.
There were good examples of privacy policies specifically tailored to the app platform, successfully making use of just-in-time notifications (warning users when personal information was about to be collected or used), pop-ups and layered information, allowing for consumers to obtain more detailed information if required.

Many of the GPEN members are expected to take further action following the sweep results. For its part, the UK ICO has commented that in light [...]

Continue Reading

Older Posts »

« Newer Posts

BLOG EDITORS

Amanda Enyeart

Marshall E. Jackson, Jr.

BLOG EDITORS

STAY CONNECTED

TOPICS

ARCHIVES

RECENT POSTS