FTC Releases 2017 Privacy And Data Security Update – On January 18, 2018, the Federal Trade Commission (“FTC”) released its annual report describing the agency’s activities over the past year in the areas of enforcement, advocacy, workshops, consumer education and business guidance, and international engagement.
With respect to enforcement, the FTC highlighted 10 privacy cases and three data security cases that it brought in 2017. The cases covered a range of different companies, including a “smart” television manufacturer, tax preparer, college rewards program, and transportation service provider.
On the international enforcement front, the FTC emphasized that it brought its first three actions enforcing the EU-U.S. Privacy Shield in 2017. The EU-U.S. Privacy Shield provides a legal mechanism for companies to transfer personal consumer data from the European Union to the United States. All three companies claimed that they were certified to participate in the EU-U.S. Privacy Shield, however, the FTC found that they failed to complete the certification. Similarly, three other companies settled with the FTC for falsely claiming that they participated in the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules System, a voluntary initiative that helps protect information transferred among the participating APEC member countries.
As for workshops, advocacy, and publications, the FTC described efforts to educate businesses and consumers on privacy and security issues related to a wide variety of topics ranging from internet of things devices, peer-to-peer payment systems and crowdfunding platforms, artificial intelligence and blockchain technologies, connected cars, and student privacy. These areas are likely to become a focus of FTC enforcement in the future.
A helpful resource for the FTC’s guidance on privacy and security issues is its blog series, Stick with Security, which is highlighted in the agency’s report. The blog offers insights and lessons to be drawn from recent law enforcement actions, closed investigations, and experiences of various companies. Companies looking for additional guidance can also consult the FTC’s newly released videos describing topics such as how the NIST Cybersecurity Framework aligns with the FTC’s work on data security, how to respond if your business is impersonated in a phishing scam, how businesses can defend against ransomware, using email authentication to prevent phishing emails from getting through to customers, and steps companies should take to respond to a data breach.
Reporter, Yelena Kotlarsky, New York, +1 212 556 2207, firstname.lastname@example.org.
South Dakota Moves Forward With State’s First Data Breach Law – On January 25, 2018, the South Dakota Senate approved the state’s first data breach notification law. If passed, the law would leave Alabama as the only U.S. state without a notification law. The proposed law will now move to the South Dakota House of Representatives for consideration and, if approved, to Governor Dennis Daugaard to be signed into law.
Like other state data breach notification laws, the proposed South Dakota law would require certain individuals and businesses who collect personal information of state residents to provide notification to a resident whose information is affected by a data breach. Specifically, the law would require “information holders” to provide statutorily-prescribed notice to state residents whose “personal” or “protected” information was, or is reasonably believed to have been, acquired by an unauthorized person. Such notification would have to be given within 60 days of the date the information holder learns of the breach, with a limited exception allowing for delay where a law enforcement agency determines notification would impede a criminal investigation. In addition to notifying affected residents, information holders would be required to notify the South Dakota Attorney General if the data breach affects more than 250 state residents.
The law would also grant the Attorney General enforcement authority allowing prosecution of information holders who fail to give the requisite notification. A violation of the law would be considered a deceptive act under the state’s consumer protection statute and would also allow for a civil penalty of up to $10,000 per day per violation. The law would not, however, create a private right of action for individuals to bring suit against information holders.
If enacted, South Dakota’s law would join the patchwork of data breach notification laws existing in all states except Alabama. Its passage would also come nearly 15 years after California, a progressive state in the area of data privacy regulation, enacted the first state data breach notification law. In the absence of a federal law providing uniform notification requirements, the individual laws of the 48 states currently require entities that experience a data breach—particularly large breaches with national impact—to undertake a complex notification process that accounts for variations in each state’s law. While at a macro level all of the state laws generally require notification to individuals when their personal information is exposed, differences in statutory language can have significant impacts on when and how notification must be given. For example, South Dakota’s proposed law requires notification after the unauthorized acquisition of personal information, while states such as Florida impose an arguably lower threshold of unauthorized access to personal information.
Other key differences among the state laws exist with respect to the definition of “personal information,” time periods for providing notification, and “safe harbors” or “risk of harm” exceptions that permit an entity to forego notification when it determines there is no reasonable likelihood of harm to affected individuals.
Reporter, Robert D. Griest, Atlanta, +1 404 572 2824, email@example.com.