September 2018 was a busy month for data privacy. If you are still trying to catch up, here’s a brief synopsis (with relevant links).
In New York, while 23 NYCRR §500 has been in effect since March 1, 2017, many requirements took effect on September 1, 2018. These include: (1) financial institutions must keep an audit trail of all financial transactions for at least five years and keep and audit trail of “security events” for at least three years; and (2) all regulated data must be encrypted and erased when it is no longer needed (borrowing from GDPR).
On September 25, 2018, the Trump Administration formally announced it was seeking public input on desired outcomes of the new privacy standards (comments are due October 26, 2018) and was interested in establishing national standards.
On September 24, 2018, Google posted its proposed “Framework for Responsible Data Protection Regulations.” This was less than two weeks after the Internet Association, a group of 40 major internet and technology companies (including Google), called for a national privacy framework in a September 12, 2018 press release and advocated for federal privacy legislation that is “consistent nationwide, proportional, flexible and encourages companies to act as good stewards of the personal information provided to them by individuals.”
At home, the Senate Commerce Committee held hearings on September 26, 2018 and heard from Google, AT&T, Amazon, Apple and others regarding data privacy and potential national legislation. The same day across the ocean, the European Data Protection Board had its third annual plenary discussing complaints against google, guidelines on the application of the territorial scope of the GDPR, and international cooperation for the protection of personal data, among other things.
On September 27, four companies (IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath) agreed to settle allegations by the Federal Trade Commission that they falsely claimed certification under the EU-U.S. Privacy Shield framework. The second annual joint review of the EU-U.S. and Swiss-U.S. Privacy Shield will take place mid-October where the fate of the Privacy Shield as part of GDPR enforcement will be debated.
All of this September activity comes on the heels of GDPR implementation on May 25, 2018; California’s adoption of the California Consumer Privacy Act in June of 2018; and Congress’ adoption of the CLOUD Act in March of 2018 -- as well as Ohio’s adoption of the Ohio Data Protection Act (S.B. 220) in August of 2018 which creates a new, potential safe harbor for Ohio businesses responding to data breaches.
 We expect the next several months to be extremely active as well, especially with the number of new complaints and data breach notices filed in Europe since May. We will continue to monitor and update developments as the data privacy framework continues to evolve.
 New York State Department of Financial Services 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies (2018), available at https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.
 National Telecommunications and Information Administration, Requests for Comments on Developing the Administration’s Approach to Consumer Privacy (September 25, 2018), https://www.ntia.doc.gov/federal-register-notice/2018/request-comments-developing-administration-s-approach-consumer-privacy.
 Google, Framework for Responsible Data Protection Regulation (September 2018), https://services.google.com/fh/files/blogs/google_framework_responsible_data_protection_regulation.pdf.
 Internet Association, Internet Association Proposes Privacy Principles for a Modern National Regulatory Framework (September 12, 2018), https://internetassociation.org/internet-association-proposes-privacy-principles-for-a-modern-national-regulatory-framework/.
 C-SPAN, Data Privacy and Protection (September 26, 2018), https://www.c-span.org/video/?451963-1/google-apple-amazon-tech-companies-testify-data-privacy; Jedidiah Bracy, In Push for US Federal Privacy Law, State Preemption Will Depend on the Details, IAPP (September 27, 2018), https://iapp.org/news/a/in-push-for-us-federal-privacy-law-state-preemption-will-depend-on-the-details/.
 European Data Protection Board, Draft Agenda 3rd EDPB Meeting (September 24, 2018), https://edpb.europa.eu/sites/edpb/files/files/file1/agenda_3nd_edpb_meeting_en.pdf.
 Federal Trade Commission, FTC Reaches Settlements with Four Companies That Falsely Claimed Participation in the EU-U.S. Privacy Shield (September 27, 2018), https://www.ftc.gov/news-events/press-releases/2018/09/ftc-reaches-settlements-four-companies-falsely-claimed.
 AB-375 (Ca. June 29, 2018), California Consumer Privacy Act text, available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.
 S. 2382, 115th Congress (2017-2018), Clarifying Lawful Overseas Use of Data Act text, available at https://www.congress.gov/bill/115th-congress/senate-bill/2383/text
 SB-220, 132nd Gen. Assemb., Reg. Sess. (Oh. 2018), Data Protection Act text, available at https://www.ohioattorneygeneral.gov/Business/CyberOhio/Data-Protection-Act/SB-220-House-version; Ohio Attorney General Mike DeWine Press Release, Bill Launched by Attorney General’s Cyber Ohio Initiative Signed into Law (August 3, 2018), available at https://www.ohioattorneygeneral.gov/Media/News-Releases/August-2018/Bill-Launched-by-Attorney-General%E2%80%99s-CyberOhio-Init
Drew Hicks assists clients in litigation and dispute resolution by, among other things, advising clients on litigation risk management and cost issues. Drew focuses his practice on representing public and private companies in a ...
Jacob Rhode assists clients with litigation and dispute resolution, helping develop and implement strategies to successfully resolve corporate disputes.
Jacob primarily works on complex commercial and financial services ...
Joe Callow helps clients manage and reduce litigation risk and litigation costs. When litigation arises, he handles and coordinates cases on a national, regional, and local basis.
Joe primarily works on class action and complex ...
Stephanie Scott practices in the firm's Litigation Group, focusing primarily on general corporate litigation, intellectual property, qui tam litigation, and cybersecurity and privacy law.
Stephanie earned her law degree from ...
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Data Breach
- Class Action Litigation
- Privacy Laws
- General Data Protection Regulation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Cyber Insurance
- September 2018 Was a Busy Month for Data Privacy
- GDPR - 90 Days Later
- GDPR: Less Than 100 Day and Counting to "G-Day" - Here's What You Need to Know
- SEC Issues Guidance on Cybersecurity Disclosures
- New D.C. Circuit Ruling Finds Substantial Risk of Harm Inherent to Data Breach
- Target Class Action Settlement Temporarily Upended
- Spokeo Continues to Divide the Lower Courts in Cybersecurity Litigation
- Cyber Breach Incident Notification Guidelines Ahead
- CyberSecurity News: Spokeo, Galaria and Braitberg
- Privacy Class Action Dismissed Under Spokeo