As reported on Hunton’s Privacy and Information Security Law blog, on June 28, 2018, the Governor of California signed AB 375, the California Consumer Privacy Act of 2018 (the “Act”). The Act introduces key privacy requirements for businesses, and was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative. The Act will take effect January 1, 2020. Continue Reading California Consumer Privacy Act Signed, Introduces Key Privacy Requirements for Businesses
As reported on Hunton’s Privacy and Information Security Law blog, the FTC has modified its 2017 settlement with Uber after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The revised proposed agreement goes beyond the FTC’s original settlement mandating that Uber implement a comprehensive privacy program. The expanded FTC order would require Uber to address software design, development and testing; how the company reviews and responds to third-party security vulnerability reports; and prevention, detection and response to attacks, intrusions or systems failures. Uber also would be required to report to the FTC any episode where it has to notify any U.S. government entity about the unauthorized access of any consumer’s information. Continue Reading FTC Revises Its Security Settlement with Uber
As reported on the Hunton Privacy & Information Security Law Blog, on March 8, 2018, the Ninth Circuit Court of Appeals (“Ninth Circuit”) reversed a decision from the United States District Court for the District of Nevada. The trial court found that one subclass of plaintiffs in In re Zappos.Com, Inc. Customer Data Security Breach Litigation had not sufficiently alleged injury in fact to establish Article III standing. The opinion focused on consumers who did not allege that any fraudulent charges had been made using their identities, despite hackers accessing their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information in a 2012 data breach. Continue Reading Ninth Circuit Reverses District Court Decision in Zappos Consumer Data Breach Case
On January 18, 2018, Hunton & Williams LLP’s retail industry lawyers, composed of more than 100 lawyers across practices, released their annual Retail Year in Review publication. The Retail Year in Review includes many topics of interest to retailers including blockchain, antitrust enforcement in the Trump Administration, ransomware’s impact on the retail industry, SEC and M&A activity in 2017, cyber insurance, vulnerability to class actions, and the reduced tax rate.
On January 8, 2018, the FTC announced an agreement with electronic toy manufacturer, VTech Electronics Limited and its U.S. subsidiary, settling charges that VTech violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting personal information from hundreds of thousands of children without providing direct notice or obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected. Under the agreement, VTech will (1) pay a $650,000 civil penalty; (2) implement a comprehensive data security program, subject to independent audits for 20 years; and (3) comply with COPPA. This is the FTC’s first COPPA case involving connected toys and the Internet of Things.
On October 23, 2017, the Federal Trade Commission issued a policy enforcement statement providing additional guidance on the applicability of the Children’s Online Privacy Protection Rule (“COPPA Rule”) to the collection of children’s audio voice recordings. The FTC previously updated the COPPA Rule in 2013, adding voice recordings to the definition of personal information, which led to questions about how the COPPA Rule would be enforced against organizations who collect a child’s voice recording for the sole purpose of issuing a command or request. Continue Reading FTC Issues Policy Statement on COPPA and Voice Recordings
On September 5, 2017, the FTC announced that Lenovo, Inc. (“Lenovo”) agreed to settle charges that its preloaded software on some laptop computers compromised online security protections in order to deliver advertisements to consumers. The settlement agreement (the “Settlement”) is between Lenovo, the FTC and 32 State Attorneys General. Continue Reading FTC Announces Settlement with Lenovo Regarding Preinstalled Laptop Software
An insured seeking coverage for credit card fees assessed against its third-party payment processor following a data breach recently filed an appeal in the Fifth Circuit Court of Appeals. Spec’s, a liquor store chain with over 160 locations throughout Texas, suffered two major data breaches of its credit card payment system, resulting in the loss of customer information and credit card numbers. Spec’s accepts Visa and MasterCard payments from its customers through a third-party processor, First Data. As a result of the breach, First Data incurred liability assessments from MasterCard and Visa totaling $9.6 million. A merchant agreement required Spec’s to indemnify First Data for any assessments First Data incurred as a result of a breach of Spec’s system. First Data demanded indemnification from Spec’s for the fees. Without any adjudication of First Data’s claims and without Spec’s consent, First Data allegedly wrongfully withheld $4.2 million in credit card payments owed to Spec’s. Consequently, Spec’s sued First Data in Tennessee federal court to recover the $4.2 million.
On August 15, 2017, the FTC announced that it had reached a settlement with Uber, Inc., over allegations that the ride-sharing company had made deceptive data privacy and security representations to its consumers. Under the terms of the settlement, Uber has agreed to implement a comprehensive privacy program and undergo regular, independent privacy audits for the next 20 years. Continue Reading Uber Settles FTC Data Privacy and Security Allegations
In a video roundtable series, Hunton & Williams LLP partners Lisa J. Sotto and Steven M. Haas and special counsel Allen C. Goolsby, along with Stroz Friedberg’s co-president Eric M. Friedberg and Lee Pacchia of Mimesis Law, discuss the special consideration that should be given to privacy and cybersecurity risks in corporate transactions. Continue Reading Privacy and Data Security Risks in M&A Transactions: Video Series