KMK Law Cybersecurity & Privacy Blog

September 2018 was a busy month for data privacy. If you are still trying to catch up, here’s a brief synopsis (with relevant links).

In New York, while 23 NYCRR §500 has been in effect since March 1, 2017, many requirements took effect on September 1, 2018. These include: (1) financial institutions must keep an audit trail of all financial transactions for at least five years and keep and audit trail of “security events” for at least three years; and (2) all regulated data must be encrypted and erased when it is no longer needed (borrowing from GDPR).[1]

 On September 25, 2018, the Trump Administration formally announced it was seeking public input on desired outcomes of the new privacy standards (comments are due October 26, 2018) and was interested in establishing national standards.

[2]On September 24, 2018, Google posted its proposed “Framework for Responsible Data Protection Regulations.”[3] This was less than two weeks after the Internet Association, a group of 40 major internet and technology companies (including Google), called for a national privacy framework in a September 12, 2018 press release and advocated for federal privacy legislation that is “consistent nationwide, proportional, flexible and encourages companies to act as good stewards of the personal information provided to them by individuals.”[4]  

At home, the Senate Commerce Committee held hearings on September 26, 2018 and heard from Google, AT&T, Amazon, Apple and others regarding data privacy and potential national legislation.[5] The same day across the ocean, the European Data Protection Board had its third annual plenary discussing complaints against google, guidelines on the application of the territorial scope of the GDPR, and international cooperation for the protection of personal data, among other things.

[6]On September 27, four companies (IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath) agreed to settle allegations by the Federal Trade Commission that they falsely claimed certification under the EU-U.S. Privacy Shield framework.[7] The second annual joint review of the EU-U.S. and Swiss-U.S. Privacy Shield will take place mid-October where the fate of the Privacy Shield as part of GDPR enforcement will be debated.

[8]All of this September activity comes on the heels of GDPR implementation on May 25, 2018;[9] California’s adoption of the California Consumer Privacy Act in June of 2018;[10] and Congress’ adoption of the CLOUD Act in March of 2018[11] -- as well as Ohio’s adoption of the Ohio Data Protection Act (S.B. 220) in August of 2018 which creates a new, potential safe harbor for Ohio businesses responding to data breaches.

[12] We expect the next several months to be extremely active as well, especially with the number of new complaints and data breach notices filed in Europe since May. We will continue to monitor and update developments as the data privacy framework continues to evolve.

[1] New York State Department of Financial Services 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies (2018), available at https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.

[2] National Telecommunications and Information Administration, Requests for Comments on Developing the Administration’s Approach to Consumer Privacy (September 25, 2018), https://www.ntia.doc.gov/federal-register-notice/2018/request-comments-developing-administration-s-approach-consumer-privacy.

[3] Google, Framework for Responsible Data Protection Regulation (September 2018), https://services.google.com/fh/files/blogs/google_framework_responsible_data_protection_regulation.pdf.

[4] Internet Association, Internet Association Proposes Privacy Principles for a Modern National Regulatory Framework (September 12, 2018), https://internetassociation.org/internet-association-proposes-privacy-principles-for-a-modern-national-regulatory-framework/.

[5] C-SPAN, Data Privacy and Protection (September 26, 2018), https://www.c-span.org/video/?451963-1/google-apple-amazon-tech-companies-testify-data-privacy; Jedidiah Bracy, In Push for US Federal Privacy Law, State Preemption Will Depend on the Details, IAPP (September 27, 2018), https://iapp.org/news/a/in-push-for-us-federal-privacy-law-state-preemption-will-depend-on-the-details/.

[6] European Data Protection Board, Draft Agenda 3^rd EDPB Meeting (September 24, 2018), https://edpb.europa.eu/sites/edpb/files/files/file1/agenda_3nd_edpb_meeting_en.pdf.

[7] Federal Trade Commission, FTC Reaches Settlements with Four Companies That Falsely Claimed Participation in the EU-U.S. Privacy Shield (September 27, 2018), https://www.ftc.gov/news-events/press-releases/2018/09/ftc-reaches-settlements-four-companies-falsely-claimed.

[8] Privacy Shield, Privacy Shield News and Events, https://www.privacyshield.gov/NewsEvents (last visited Oct. 4, 2018).

[9] General Data Protection Regulation (2018), available at https://gdpr-info.eu/.

[10] AB-375 (Ca. June 29, 2018), California Consumer Privacy Act text, available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

[11] S. 2382, 115th Congress (2017-2018), Clarifying Lawful Overseas Use of Data Act text, available at https://www.congress.gov/bill/115th-congress/senate-bill/2383/text

[12] SB-220, 132nd Gen. Assemb., Reg. Sess. (Oh. 2018), Data Protection Act text, available at https://www.ohioattorneygeneral.gov/Business/CyberOhio/Data-Protection-Act/SB-220-House-version; Ohio Attorney General Mike DeWine Press Release, Bill Launched by Attorney General’s Cyber Ohio Initiative Signed into Law (August 3, 2018), available at https://www.ohioattorneygeneral.gov/Media/News-Releases/August-2018/Bill-Launched-by-Attorney-General%E2%80%99s-CyberOhio-Init