U.S.-EU Privacy Shield Replaces Defunct Safe Harbor Framework
The European Commission announced Feb. 2, 2016, that the Commission and the U.S. Department of Commerce had reached an agreement on a new trans-Atlantic data transfer framework: the "EU-US Privacy Shield" or, colloquially, Safe Harbor 2.0. The Privacy Shield replaces the former U.S.-EU Safe Harbor framework, which was struck down by Europe's highest court this past October in Schrems v. Data Protection Commissioner. In order to address European concerns about U.S. government surveillance, U.S. officials provided written assurances that intelligence and law enforcement surveillance of personal data will be subject to "clear limitations, safeguards and oversight mechanisms" and "ruled out indiscriminate mass surveillance on the personal data transferred" under the arrangement. U.S. companies receiving personal data from EU citizens must "commit to robust obligations on how personal data is processed and individual rights are guaranteed" and must publish those commitments, under the oversight of the Department of Commerce. The FTC will have the authority to enforce those obligations. To further aid in data-transfer under this agreement, on Feb. 24, 2016, President Barack Obama signed into law the Judicial Redress Act, which will allow European citizens to seek legal redress if their personal data is misused.
NYAG Settlement With Uber in Data-Breach Investigation
The New York State Office of the Attorney General Jan. 6, 2016, issued an "assurance of discontinuance" memorializing its settlement with Uber over its handling of riders' (and drivers') personal information, following the discovery of a substantial data breach in 2014. Under the terms of the settlement, Uber must encrypt riders' GPS information and adopt authentication measures before any employee can access riders' sensitive personal information. Uber also agreed to pay a $20,000 penalty for violation of New York's privacy law for failing to provide timely notice of the breach, when one of its engineers posted an access ID for the company's cloud storage on an unsecured website and Uber drivers' names and license numbers were accessed by someone unaffiliated with the company. View the decision.
ERISA Preempts Data Breach Claims
In re Anthem, Inc. Data Breach Litig., No.
15-MD-2617-LHK (N.D. Cal. Jan. 27, 2016 & Feb. 14,
2016)
In this lawsuit arising out of the breach of unencrypted protected
health information, the court denied plaintiffs' request for
remand in January 2016, as well as a subsequent motion for
reconsideration. The court issued an 82-page decision Feb. 14,
2016, holding that the loss of personal information could
constitute harm under New York's General Business Law (GBL).
Although the court found that the loss of the value of personal
information and of the "benefit of the bargain" are
cognizable injuries under the GBL, out-of-pocket costs to protect
against the consequences of identity theft and the "fear of
imminent further costs" are not cognizable injuries under that
law. View the decision.
After $100 Million FTC Settlement, LifeLock Settles Consumer Fraud Class
Action Ebarle v. LifeLock, Inc., No.
15-CV-00258-HSG, 2016 WL 234364 (N.D. Cal. Jan. 20,
2016)
The FTC entered a $100 million settlement in December 2015 with
LifeLock, an identity theft protection provider, over claims that
the company violated a 2010 federal court order requiring it to
secure consumers' personal information and prohibiting the
company from deceptive advertising. Apart from the FTC action,
LifeLock was involved in a consumer fraud class action alleging
that misrepresentations about consumers' personal data security
in defendant's advertising violated Arizona consumer protection
law. The class action settlement includes a $68 million fund, which
the defendant can fund using part of the $100 million FTC
settlement for consumer redress. View the decision.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.