On Monday, April 20th, the Supreme Court accepted cert in Van Burien v. United States to (hopefully) resolve a longstanding circuit split regarding the Computer Fraud and Abuse Act (or CFAA): Does an individual exceed authorized access when he or she accesses a computer contrary to a policy or agreement limiting access (i.e., accessing a computer for a purpose beyond those permitted by the company). READ MORE
Posts by: Aravind Swaminathan
On Tuesday, Washington Governor Jay Inslee signed into law legal restrictions on the use of facial recognition by public agencies (SB 6280), while the Washington Legislature previously reached an impasse on the proposed Washington Privacy Act (SB 6281) due to a few big ticket items, particularly whether the Act would be enforceable via a private right of action for Washington residents. READ MORE
On January 30, 2020, the U.S. Department of Defense (“DoD”) released Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”) framework (CMMC overview here; CMMC Version 1.0 and appendices here). By 2026, DoD plans to require CMMC certification for all defense contracts. For companies looking to play a role – any role – in the defense industry supply chain, now is the time to develop, assess, and augment cybersecurity practices.
Earlier this month, Andrew Smith, the FTC’s Director of the Bureau of Consumer Protection, announced that the Commission had made “three major changes” to its data security orders. Citing recent hearings at the FTC, as well as the Commission’s defeat in the closely watched LabMD case, Director Smith highlighted three key takeaways from seven consent orders announced against “an array of diverse companies.”
While the California Consumer Privacy Act (“CCPA”) has inspired many states to consider their own consumer privacy bills, including Nevada which recently enacted a new law, not to be lost in the CCPA-focused frenzy is the fact that states continue to revise their data breach notification statutes. In recent weeks, the new Massachusetts breach notification amendment has gone into effect, New Jersey, Maryland, Oregon, Texas, and Washington have enacted their own breach notification amendments, and Illinois has proposed a bill that is poised to become law in the near term. READ MORE
In an increasing trend, the Federal Trade Commission (FTC) joined other federal regulators seeking to hold individuals – not just companies – liable in enforcement proceedings. The most recent target was San Francisco-based UrthBox, Inc. and its principal, Behnam Behrouzi. Specifically, Urthbox and Behrouzi agreed to settle FTC allegations that UrthBox engaged in unfair or deceptive acts or practices by: (1) failing to adequately disclose key terms of its “free trial” automatic renewal programs, and (2) misrepresenting that customer reviews were independent when, in fact, UrthBox provided customers with free products and other incentives to post positive reviews online.
At the beginning of this month, more than 4,000 privacy professionals from around the globe gathered in Washington, D.C. for the International Association of Privacy Professionals’ Global Privacy Summit 2019. The conference focused on lessons learned from the first year of GDPR enforcement in Europe, the expansion of European-style rights to more jurisdictions around the world, plans for addressing new obligations imposed by the CCPA in California, and the future of privacy law in the United States including whether federal legislature is likely or desired – especially in light of the CCPA and similar proposed legislation in states throughout the nation. READ MORE
In June 2018, medical laboratory LabMD obtained the first-ever court decision overturning a Federal Trade Commission (FTC) cybersecurity enforcement action. (The team directing that effort – led by Doug Meal and Michelle Visser – joined Orrick in January 2019). There, the Eleventh Circuit held that an FTC cease-and-desist order imposing injunctive relief requiring LabMD to implement “reasonable” data security was impermissibly vague. In the wake of LabMD, the FTC’s new Chairman, Joseph Simons, stated that he was “very nervous” that the agency lacked the remedial authority it needed to deter allegedly insufficient data security practices and that, among other things, the FTC was exploring whether it has additional untapped authority it could use in this space. In this regard, Chairman Simons and Commissioner Rebecca Kelly Slaughter announced that the FTC is examining whether it can “further maximize its enforcement reach, in all areas, through strategic use of additional remedies” such as “monetary relief.” READ MORE
A recent decision from the Supreme Court of Illinois heightens the risks faced by companies collecting biometric information by holding that an individual who is the subject of a violation of Illinois’ Biometric Information Privacy Act—but who suffered no separate harm from the violation—is an “aggrieved party” with a cause of action under the statute. Rosenbach v. Six Flags Entertainment Corp., No. 123186 (Ill. Jan. 25, 2019). This decision will only further embolden plaintiffs’ lawyers to bring biometric privacy suits, and the risk to companies collecting biometric information will likely increase as newly enacted and proposed legislation comes into effect. In this post, we discuss what happened, what is on the horizon, and some steps to consider. READ MORE
The California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”), which we reported on here and here continues to make headlines as the California legislature fast-tracked a “clean up” bill to amend the CCPA before the end of the 2018 legislative session. In a flurry of legislative activity, the amendment bill (“SB 1121” or the “Amendment”) was revised at least twice in the last week prior to its passage late in the evening on August 31, just hours before the legislative session came to a close. The Amendment now awaits the governor’s signature.
Although many were hoping for substantial clarification on many of the Act’s provisions, the Amendment focuses primarily on cleaning up the text of the hastily-passed CCPA, and falls far short of addressing many of the more substantive questions raised by companies and industry advocates as to the Act’s applicability and implementation. READ MORE