Questions and Answers Image 1

This blog post is the first in a series of Q&A posts following Dykema’s February 27, 2019 webinar on the California Consumer Privacy Act (“CCPA”). We received questions both before and during the webinar, and over the coming weeks we will be posting our responses. We will answer the most commonly-asked questions first, so please stay tuned if you don’t see your question in the first one or two posts. And, of course, please feel free to reach out to us if you have a unique question or would like to discuss in detail how the CCPA may apply to you.

Thanks for reading!  Continue Reading February 27, 2019 CCPA Webinar Q&As: Out-of-State, B2B, and GLBA-Covered Businesses

Biometric Image 71

The fallout from the Illinois Supreme Court’s January 25, 2019, opinion in Rosenbach v. Six Flags Entertainment Corp., 19 IL 12316, continues. Rosenbach settled the dispute of who qualifies as an “aggrieved person” under the Illinois Biometric Information Privacy Act (“BIPA”), and in doing so opened the floodgates for this litigation to proliferate. The immediate result was a sharp increase in the filing of BIPA class actions as well as the lifting of stays of the numerous cases pending that were awaiting the Rosenbach ruling.  Continue Reading All Stop: Ruling on the Applicability of Exclusion to BIPA Claims Delayed

Biometric Image 62

On January 19, 2019, federal Magistrate Judge Kandis Westmore of the Northern District of California denied the Government’s application for a search warrant that sought:

  1. “all digital devices” present at a California residence; (Order at 3), and
  2. “any individual present at the time of the search to press a finger (including thumb) or utilize other biometric features…for the purposes of unlocking the digital devices found in order to permit a search of the contents,” (Order at 1).

The request for the “use of biometrics” was stunning. Magistrate Judge Westmore denied the Government’s initial request, but invited the Government to submit a new search warrant. A day later when the Government submitted an amended application, it omitted the request to use biometrics. The court granted that amended application. Since the Government’s application named only two suspects in its affidavit, the Government’s request to compel any other individual present at the time of the execution of the search warrant to unlock their digital device(s) was too expansive.

Continue Reading Biometrics and Search Warrants: The Intersection of Your iPhone and the Fourth and Fifth Amendments

Consumer Protection Image

February was a busy month for those monitoring the latest developments with the California Consumer Privacy Act (CCPA). After the month kicked off with a series of California Attorney General Informational Sessions, the California State Assembly’s Privacy and Consumer Protection Committee conducted a hearing with testimony from interested parties, including Alastair Mactaggart (the architect of the initiative that led to the enactment of the CCPA), representatives from the California Attorney General’s Office, public interest groups, and industry groups. This hearing also coincided with the introduction of new proposed amendments to the CCPA that would, among other things, require businesses to disclose an estimate of what they paid or received for the sale of consumer data. The month culminated with the introduction of a Senate Bill that would greatly expand the reach of the CCPA by, among other things, granting consumers a private right of action for all CCPA violations and not just data breach violations.  Continue Reading CCPA Watch – February Marked by Heavy Legislative Activity, Proposal to Expand Private Right of Action under the CCPA

Privacy Protection Image

On Friday, January 25, 2019, California Attorney General Xavier Becerra’s Office held the fourth of its six public forums in connection with its rulemaking process for the California Consumer Privacy Act (“CCPA”). The purpose of the open forum, which was held in Los Angeles at the Ronald Reagan State Building, was to provide an initial opportunity for the public to participate in the CCPA rulemaking process. The formal rulemaking process is scheduled to begin later this year.

As noted in a prior Firewall blog post, the recently-enacted CCPA grants California consumers the right to know what information companies collect about them, the right to “opt out” from allowing companies to sell their personal information, the right to demand that companies delete collected information, and the right to receive equal service even if consumers exercise their “opt out” right. As required by the CCPA, the Attorney General must adopt its regulations on or before July 1, 2020. Businesses, however, must comply with the CCPA even before then, starting on January 1, 2020.  Continue Reading Different Viewpoints Represented at the Latest California Attorney General’s Office Public Forum on the California Consumer Privacy Act

Illinois Supreme Court Image

Last Friday, the Illinois Supreme Court delivered the highly anticipated Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, opinion. Businesses and consumers alike watched for the Court’s opinion regarding whether mere technical violations of the Illinois Biometric Information Privacy Act (“BIPA”) gave plaintiffs the requisite standing to seek damages under the statute. The Court heard the case after the Second District Appellate Court of Illinois ruled that an individual was not a “person aggrieved” by a technical violation and several other courts, both state and federal were split over the issue.  Rosenbach v. Six Flags Entertainment, 2017 IL App (2d) 170317.  In a fairly short opinion, focusing on statutory construction and the common meaning of the word “aggrieved,” the Illinois Supreme Court reversed the Appellate Court.  2019 IL 123186, ¶ 1. The Illinois Supreme Court held that an individual was in fact an “aggrieved person” under the statute where they are unable to show actual damage, but there has been a violation of the statute. The Court held, where there is no actual harm, the individual is entitled to statutory relief for each violation. In short, a technical violation is a violation.  The Illinois Supreme Court took a strong stance in that individuals should not have to wait for actual harm with respect to their biometric information and that businesses would lack the requisite motivation to comply with statutes like BIPA without such an interpretation.  Continue Reading Illinois Supreme Court’s Rosenbach Ruling Likely to Expand BIPA Litigation

Biometric Security Image 17

Over the last several years, the emphasis on privacy and data protection has grown significantly. With the amount of data collected by companies and technology skyrocketing, the need to protect personal information has been at the forefront of states’ legislative agendas. While all 50 states now have breach notification statutes, states are now taking a closer look at issues such as tracking online behavior and the use of biometric data. What used to be futuristic props in sci-fi media, face and fingerprint scanners, are now part of everyday life and consumer transactions. Despite the increase in the use of biometric data, only three states, Washington, Texas and Illinois have passed legislation addressing biometric data. Continue Reading Illinois’ BIPA’s Rollercoaster Ride to the Illinois Supreme Court

SEC Image 22

In February of this year, the Securities Exchange Commission issued its updated Statement and Guidance on Public Company Cybersecurity Disclosures.  In April, the SEC issued an Order that, among other things, levied a $35 million fine against Yahoo! Inc. for failing to properly report a 2014 data breach.  These actions support the view that the SEC is consciously committing attention and resources to cybersecurity issues affecting public companies.

Here are some key takeaways from both the Guidance and from the Yahoo! Order:  Continue Reading SEC Takes Aim at Cybersecurity Disclosures

FinTech Data Security Image

Not long ago, financial technology (FinTech) startups were all seeking to disrupt the market for financial services and compete directly with financial institutions (FIs) for customers. But as these startups have grown into more mature companies, cooperation with FIs has come to replace disruption for many FinTech firms. These companies have realized that FIs can help scale their technology to larger bases of potential users, and can also help FinTechs raise capital by showing strong partnerships and FI distribution channels.

In turn, FIs now recognize that FinTech firms offer more than competition, representing potentially valuable partnerships with better technology and an improved user experience. By collaborating with FinTechs, FIs can improve product offerings and increase efficiency, all without the FIs committing significant resources to create new solutions themselves.  Continue Reading Access vs. Security: Takeaways For U.S. Financial Institutions from the European PSD2 Open API Framework

Data Breach Image

When a data breach occurs, the guilty party—a fraudster or criminal syndicate— is often nowhere to be found. Who bears the loss from a breach perpetrated by a fraudster: the consumer whose data was compromised, the financial institution where the data was used, or the business that failed to protect the data? Often, the loss initially falls on the financial institution through account or card agreement provisions or deadlines imposed by statutes or regulations. Can a financial institution recover these losses from a business with whom it has no contract? This depends on which law applies. Continue Reading Recovering Data Breach Losses from Non-Contractual Parties