United States: Jones Day Global Privacy & Cybersecurity Update | Vol. 22 (United States)

Last Updated: May 21 2019
Article by Jones Day

Jones Day Cybersecurity, Privacy & Data Protection Attorney Spotlight: Jennifer C. Everett

As data privacy and security regulations are on the rise in the United States, workplace compliance is at the forefront for employers. With a background in labor & employment law, Jennifer Everett is a senior associate based in Washington, D.C., with 10 years of experience advising institutional clients on employment, privacy, and cybersecurity compliance matters.

Jennifer's practice focuses on advising U.S. and international companies on developing and maintaining sustainable privacy and cybersecurity governance programs. Jennifer routinely counsels clients on strategic compliance with U.S. and global privacy and cybersecurity laws and enterprise-wide cyber risk management. She helps companies implement effective cross-border data management programs and negotiates data provisions in complex commercial agreements.

Jennifer also regularly counsels employers on privacy and cybersecurity matters in the workplace. This includes counseling employers on privacy and data protection related to employee monitoring, workplace investigations, personal device (BYOD) policies, employee background checks, and e-discovery.

UNITED STATES

Regulatory—Policy, Best Practices, and Standards

NIST Director Discusses Future Development of Cybersecurity Framework

On March 4, the director of the National Institute of Standards and Technology ("NIST") discussed NIST's Cybersecurity Framework at the annual RSA conference. Acknowledging the Framework's increasing popularity over the last few years in both the private and public sector, the director announced that NIST will focus on expanding its use by federal agencies and small businesses. He also reemphasized NIST's continuing commitment to developing the Framework to keep up with technological advancements.

Regulatory—Consumer and Retail

IPEC Publishes Annual Intellectual Property Report

On February 4, the Office of the U.S. Intellectual Property Enforcement Coordinator ("IPEC") issued its Annual Intellectual Property Report to Congress. The report described efforts within the Executive Branch to promote the protection of intellectual property rights within and outside the United States, including the protection of trade secrets against cybercrime and cyber espionage. The report also discusses engagement with U.S. trading partners on intellectual property issues, legal authorities to protect against unfair trade practices, expanded law enforcement cooperation, and various intellectual property enforcement activities pursued by federal agencies.

FTC Launches Task Force to Monitor Competition in Technology Markets

On February 26, the Federal Trade Commission ("FTC") announced the creation of the Technology Task Force, which aims to monitor competition in U.S. technology markets, investigate any potential anticompetitive conduct, and take enforcement actions when warranted. The task force is intended to help enhance the agency's focus on competition in technology-related sectors of the economy, including markets in which online platforms compete.

Social Networking Provider Agrees to Record $5.7 Million COPPA Settlement

On February 27, the provider of a video social networking music application agreed to pay a record $5.7 million to settle FTC claims that the company illegally collected personal information from children. This is the largest civil penalty ever obtained by the Commission in a children's privacy case. The FTC's complaint alleged that the company violated the Children's Online Privacy Protection Act ("COPPA"), which requires that websites and online services directed to children obtain parental consent before collecting personal information from users under the age of 13. The operators allegedly knew children were using the app but nonetheless failed to seek parental consent before collecting names, email addresses, and other personal information from users under the age of 13.

FTC Releases 2018 Privacy and Data Security Update

On March 15, the FTC released its annual report highlighting the agency's work in privacy and data security in 2018. The FTC highlighted several of its 2018 enforcement actions against technology companies, including a settlement against a mobile payments company regarding the privacy settings in the company's mobile application, an expanded settlement with a ride-sharing company to resolve data security and privacy allegations, and an enforcement action against a supplier of children's products under COPPA.

Regulatory—Financial

SEC Announces Changes to Form N-PORT Submissions

On February 27, the Securities and Exchange Commission ("SEC") announced that the submission deadlines for registered investment companies filing nonpublic monthly reports on Form N-PORT will be extended. Reports must now be filed on a quarterly basis instead of monthly. This change is part of the SEC's effort to reduce the agency's cyber risk profile by adopting alternative reporting options that reduce the frequency and sensitivity of the data it collects.

SEC Names Gabriel Benincasa as Chief Risk Officer

On February 28, the SEC announced that Gabriel Benincasa has been named the Commission's first chief risk officer. This position was created "to strengthen the agency's risk management and cybersecurity efforts." As chief risk officer, Mr. Benincasa will coordinate the SEC's "efforts to identify, monitor, and mitigate key risks facing the Commission."

FTC Seeks Comment on Proposed Amendments to GLBA

On March 5, the FTC announced that it sought comments on proposed amendments to the FTC's Safeguards Rule and Privacy Rule under the Gramm-Leach-Bliley Act ("GLBA"). The proposal would add additional requirements for how financial institutions must protect customer information, such as requiring the encryption of customer data held or transmitted by the institution over external networks.

SEC Issues Privacy Risk Alert for Investment Advisers and Broker Dealers

On April 16, the SEC's Office of Compliance Inspections and Examinations ("OCIE") issued a Risk Alert for investment advisers and broker-dealers. The Risk Alert identified the most frequent compliance issues related to customer privacy notices and safeguard policies for customer information under Regulation S-P, including the failure to provide initial, annual, and opt-out privacy notices and a lack of written privacy policies and procedures. The Risk Alert also discussed the lack of policies reasonably designed to safeguard customer information, including a lack of secure login credentials, written incident response plan, or employee training, among others.

Regulatory—Energy/Utilities

DHS Expands Cyber-Training Program

On March 21, the Department of Homeland Security ("DHS") Science and Technology Directorate awarded $5.9 million to Norwich University to expand the DECIDE cyber-training platform to the energy sector. The investment will allow organizations to identify vulnerabilities and develop mitigation strategies prior to a real-life crisis to ensure that organizations receive proper training to recognize and respond to potential cyber threats.

DOE Seeks to Reduce Cybersecurity Threats in Manufacturing

On March 26, the Department of Energy ("DOE") announced up to $70 million in funding for a Clean Energy Manufacturing Innovation Institute to focus on early-stage research for advancing cybersecurity in energy-efficient manufacturing. DOE stated that the Institute "will focus on understanding the evolving cybersecurity threats to greater energy efficiency in manufacturing industries, developing new cybersecurity technologies and methods, and sharing information and knowledge" with U.S. manufacturers. The Institute also will address the education and training needed for cyber-secure automated sensors.

Regulatory—Transportation

USDOT Launches Council to Support Emerging Transportation Technologies

On March 12, the U.S. Secretary of Transportation announced the creation of the Non-Traditional and Emerging Transportation Technology ("NETT") Council within the U.S. Department of Transportation ("USDOT"). The NETT Council is charged with identifying and resolving jurisdictional and regulatory gaps that may impede the deployment of new technologies, such as autonomous vehicles. By streamlining discussion and review of these technologies, the secretary stated that the government can address "legitimate public concerns about safety, security and privacy without hampering innovation."

Congressional Committees Investigate Cyber Threat to Transportation

On February 26, the Committee on Homeland Security held a joint hearing titled "Securing U.S. Surface Transportation from Cyber Attacks" with the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation and the Subcommittee on Transportation and Maritime Security. The hearing focused on securing U.S. surface transportation, such as railroads and highways, from digital threats.

Regulatory—Health Care/HIPAA

Health Records Company Settles False Claims Act Allegations
On February 6, the U.S. Attorney's Office for the District of Vermont announced that a health records company would pay $57.25 million to resolve False Claims Act allegations. The complaint alleged that the company caused its users to submit false claims to the government by misrepresenting the capabilities of its electronic health records software. The government had argued that the software did not fully incorporate the standardized clinical terminology necessary to ensure the reciprocal flow of information concerning patients and the accuracy of electronic prescriptions.

HHS Proposes New Rules for Electronic Health Information

On February 11, the U.S. Department of Health and Human Services ("HHS") proposed new rules to support seamless and secure access, exchange, and use of electronic health information. The rules seek to solve the issue of interoperability and patient access in the U.S. health care system while reducing administrative burdens on providers. The rules would allow patients to access their health information electronically through third-party software applications connected to their data.

Diagnostic Medical Imaging Company Settles PHI Breach

On May 6, HHS announced that a medical imaging services company agreed to pay $3 million to settle a breach that exposed the protected health information ("PHI") of more than 300,000 individuals. The HHS Office of Civil Rights ("OCR") determined that the company's servers had allowed uncontrolled access to its patient PHI, which permitted search engines to index and store patient data for offline viewing. OCR determined that the company did not thoroughly investigate the security incident until several months after notice of the breach and did not notify individuals in a timely manner.

Regulatory—Defense and National Security

DOD Releases Cloud Strategy

On February 4, the Department of Defense ("DOD") released its Cloud Strategy, reasserting DOD's commitment to the cloud from an enterprise perspective. The strategy focused implementation activities in two areas: (i) standing up cloud platforms that are "ready to receive data and applications"; and (ii) migrating existing applications and developing new applications in the cloud.

DOD Launches Technology-Focused Website

On April 24, DOD launched a new public website to inform members of the military industry and academia on DOD's research, development, engineering, and technological efforts. The website will highlight innovations related to artificial intelligence, big data analytics, autonomy, robotics, and advanced computing, among other topics.

Litigation, Judicial Rulings, and Agency Enforcement Actions

Court Gives Preliminary Approval to $50 Million Data Breach Settlement

On February 26, a federal court in Pennsylvania gave preliminary approval to a $50 million settlement related to a data breach at a restaurant chain that allegedly compromised customers' credit and debit information through malware. Plaintiffs alleged that the company failed to keep up with advancements in security measures, such as chips that would create unique codes for each customer transaction.

Home Security System Provider May Face Additional $8.4 Million in Attorneys' Fees for Alleged TCPA Violations

On March 18, attorneys for class plaintiffs requested $8.4 million dollars in attorneys' fees against a technology company that provides cloud-based home monitoring and remote control services after settling a Telephone Consumer Protection Act ("TCPA") class action for $28 million dollars. The class accused the company of using "autodialers" and "recorded messages" to call millions of cellphones, residential lines, and people on the national "do not call registry." The settlement class included more than 1.2 million consumers.

Legislative—Federal

GAO Calls for Federal Privacy Law
On February 13, the U.S. Government Accountability Office ("GAO") released a report calling for a federal privacy law based on interviews with former government officials, consumer advocates, academics, and industry professionals. The report calls for Congress to develop comprehensive internet data privacy legislation to enhance consumer protection. Specifically, GAO recommends: (i) enacting an overarching federal privacy statue; (ii) ensuring that the overseeing agency or agencies have notice-and-comment rulemaking authority; and (iii) providing authority to impose civil penalties for first-time violations.

Senators Introduce Bill Requiring Companies to Target Bias in Corporate Algorithms

On April 10, several U.S. senators introduced the Algorithmic Accountability Act, which would require companies to review artificial intelligence algorithms for bias or discrimination. The bill is aimed at companies that make more than $50 million per year, hold the data of at least one million people or devices, or primarily act as data brokers that buy and sell consumer data. The bill would also give the FTC authority to create regulations that require companies to conduct impact assessments of highly sensitive automated decision systems.

FTC Testifies Before Congress for Creation of National Privacy Law

On May 8, the FTC called for the enactment of a comprehensive federal data security law during testimony before the Senate Homeland Security and Government Affairs Subcommittee. The testimony was delivered by the Director of the Bureau of Consumer Protection and backed by a 5–0 vote approving its inclusion in the formal record. The testimony also requested that Congress permit the agency to enforce civil penalties to deter unlawful conduct, grant it jurisdiction over nonprofits and common carriers, and give it the authority to issue implementing rules under the Administrative Procedure Act.

Legislative—States

California Attorney General Plans to Publish CCPA Rulemaking Notices in Fall 2019

On February 8, the California Office of the Attorney General announced it anticipates publishing a Notice of Proposed Regulatory Action regarding the California Consumer Privacy Act ("CCPA") in fall 2019. The CCPA delays enforcement until six months after the attorney general implements regulations, or July 1, 2020, whichever comes first. The regulations will establish procedures for protecting consumers' rights and provide guidance to businesses on compliance, including on issues such as the categories of personal information, exceptions necessary to comply with state or federal law, and rules and procedures regarding consumer opt-outs and notices.

State Attorneys General Urge FTC to Update Identity Theft Rules

On February 14, attorneys general from 31 states submitted a letter to the FTC to update its identity theft rules. The FTC originally adopted identity theft rules in November 2007, prior to substantial technological developments and growth in identity theft. The letter suggested adding a requirement that cardholders are notified by phone or email if a phone or email address associated with their account is changed, as well as changing "suspicious account activity" to include account access by new devices and repeated unsuccessful access attempts.

California Attorney General and Senator Introduce Legislation to Clarify CCPA

On February 25, California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson announced legislation to strengthen and clarify the CCPA. The bill, SB 561, would remove companies' rights to cure CCPA violations within 30 days before enforcement can occur and would add a private right of action for consumers. In addition, the bill would remove requirements that the attorney general provide businesses and third parties with individual legal counsel on CCPA compliance, instead specifying that the attorney general may publish general guidance on compliance.

Mississippi Attorney General Requires Education Company to Strengthen Post-Breach Security Measures

On March 8, the Mississippi attorney general announced an Assurance of Voluntary Compliance with an education testing service provider that requires the company to strengthen its cybersecurity measures. Following a data breach involving student information, the company will be subject to various requirements, including prompt notification of a breach, encryption of students' personal information, and the appointment of a supervisor who will be responsible for security updates and patch management. Most significantly, the assurance requires the company to implement a comprehensive information security program involving annual risk assessments, privacy and cybersecurity training for employees, and designation of a chief information security officer.

Utah Passes New Internet Privacy Law

On March 28, the governor of Utah signed into law H.B.0057, Utah's Electronic Information or Data Privacy Law. The law protects data stored with third parties, including email and cloud storage providers, from unlimited government access and requires law enforcement to obtain a warrant before accessing such data.

North Dakota Passes Law Authorizing Legislative Study on Consumer Personal Data

On March 28, the governor of North Dakota signed into law HB 1485, which requires a study of issues related to personal data for one year during the 2019–2020 legislative term. The study will examine protections for consumers related to the disclosure of personal data, as well as enforcement and remedies. The study also will examine privacy laws of other states and applicable federal law. The bill originally began as a proposal with provisions similar to the CCPA, but the legislature ultimately decided to conduct a study for one year before implementing data privacy legislation. The law takes effect on August 1.

States Propose CCPA-Type Bills

In 2019, several states introduced proposed legislation similar to the CCPA, which California passed in 2018. These proposed bills are still under consideration in several states. Recent developments include:

  • On February 5, Mississippi House Bill 1253 died in committee.
  • On March 8, the Maryland Senate Finance Committee held a hearing on Senate Bill 613.
  • On April 1, North Dakota passed House Bill 1485; however, the bill's text was replaced with an act providing for a legislative study of consumer personal data disclosures.
  • On April 2, Texas left House Bill 4518 pending in the House Business and Industry Committee.
  • On April 17, Connecticut amended Senate Bill 1108; the bill now establishes a task force to study possible methods for protecting consumer privacy. On April 25, the Senate passed the amended bill, and it is now under consideration by the House.
  • On April 28, Washington did not pass Senate Bill 5376 as the bill did not make its way through the legislative process.
  • On April 30, the Rhode Island Senate Judiciary Committee recommended Senate Bill 234 be held for further study.
  • On May 2, Texas placed its amended House Bill 4390 on its General State Calendar. The amended version of House Bill 4390 removed provisions requiring covered businesses to implement certain risk assessments and to inform individuals and the public about their data collection and processing practices.

Download >> Jones Day Global Privacy & Cybersecurity Update | Vol. 22

The following Jones Day lawyers contributed to this section: Tony Black, Shirley Chan, Meredith Collier, David Coogan, Jennifer Everett, Levent Hergüner, Jay Johnson, Christopher Markham, Mallory McKenzie, Mary Alexander Myers, Clinton Oxford, Mauricio Paez, Nicole Perry, Lauren Timmons, Kerianne Tobitsch, and Jenny Whalen-Ball.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions