The U.S. Departments of State, Treasury, and Homeland Security, and the Federal Bureau of Investigation recently released a joint advisory (the “Advisory”) outlining a number of cyber theft, ransomware, and money laundering operations originating from organized hacking groups sponsored by the North Korean government. According to the Advisory, these state-sponsored hacking groups have attempted to steal as much as $2 billion through cyber-enabled thefts on financial institutions as of late 2019, and are known to use automated digital currency transactions to launder their ill-gotten gains. These cyber-theft operations are among the latest in the list of high-profile breaches these actors are believed to have been responsible for, including the WannaCry 2.0 ransomware that hit a number of hospitals and corporations in the United States and abroad in May 2017, and the Sony Pictures Entertainment breach in November 2014. Continue Reading U.S. Cyber Intelligence Warning Highlights Security Threat From Nation-Sponsored Advanced Persistent Threats (APTs) – Part 1

The Genesis of Three Competing Federal Bills

In 2018, there were numerous congressional and industry proposals aimed at addressing privacy on the federal level. Although none ever crystalized as federal law, the sheer number of lawmakers introducing proposals and getting involved in the debate made clear that privacy would be a focus in 2019. As 2019 began, there was hope that the various state privacy statutes being enacted and debated were putting even more pressure on the federal government to enact bipartisan federal privacy legislation. The California Consumer Privacy Act’s (CCPA) January 1, 2020 go-live date also seemed to be increasing pressure on Congress to act. Nowhere was the combination of hope and pressure more pronounced than in the Senate Committee on Commerce, Science, and Transportation. Throughout 2019, bipartisan discussions on federal privacy legislation seemed to be progressing. Those talks ultimately broke down towards the end of 2019 and resulted in three separate, rival legislative proposals: COPRA, CDPA, and CDPSA. Continue Reading Federal Privacy Legislation: Where Are We and Where Are We Going?

On March 26, 2020, the District of Colombia enacted Act 23-268, known as the “Security Breach Protection Amendment Act of 2020.” Acting as an amendment of Section 28 of Chapter 38 of the District of Columbia Code, the Act: (1) expands the definition of “personal information,” (2) amends breach notification requirements, (3) adds new security requirements; and (4) expands the Act’s enforcement.

1. Definition of “Personal Information”

Under the Act, “personal information” now includes an individual’s name combined with one of the following data elements: Continue Reading District of Columbia Amended Privacy Law Creates New Requirements

On the list of concerns recently expressed about police conduct, data privacy ranks relatively low. However, a recent privacy leak by the New York Police Department’s union has shown how data privacy concerns can arise in any situation.

On May 30, the NYPD union tweeted a picture of a computer screen showing recent NYPD arrests relating to the recent civil disturbances following the widely publicized deaths of George Floyd, Breonna Taylor, and others. New York mayor Bill de Blasio’s daughter, Chiara, appeared on the report. The unredacted screenshot showed her name, her birth date, and her driver’s license information—the last being considered personally identifiable information under New York law. Twitter removed the post as a violation of its rules and suspended the union’s account. Continue Reading Government Data Leaks May Have Broad Data Privacy Implications

Among countless other disruptions, COVID-19 has raised important questions about the limits of data collection and highlighted the shortcomings of both the European Union’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). The pandemic has proven to be a black swan for which neither law nor its enforcement bodies are prepared—and which carries privacy-law implications that will persist long after the health crisis ends. Consequently, governments and businesses must work without meaningful existing guidance to strike a delicate balance between gathering the critical information needed to manage the virus and honoring the GDPR’s and CCPA’s stringent requirements.

Data Collection in Europe

The European Data Protection Board’s general guidance on how to collect data, in the context of COVID-19, leaves much room for interpretation. GDPR Articles 6 and 9 permit data collection without consent if the processing is necessary for the performance of a task carried out in the public interest. Although combating COVID-19 qualifies as a public interest need, it is unclear whether the collection methods employed, which vary by country, qualify as “necessary” under GDPR, or whether or to what extent those processes can sustain after the pandemic without violating the law. Each member state decides for itself how much intrusion is necessary, which invites comparisons to determine how far is far enough when gathering data in the public interest. Continue Reading The Crisis Beyond the Crisis: How Data Tracking for COVID-19 Creates Privacy Issues That Will Persist Once the Pandemic Is Over

In a case of first impression, the Seventh Circuit just answered a much-anticipated question about standing in cases filed under the Illinois Biometric Information Privacy Act (“BIPA”).  Bryant v. Compass Grp. USA, Inc. decided whether a BIPA plaintiff has Article III standing. The answer is both yes and no.  This dual answer is not surprising given the awkwardness of the arguments presented. Though the holding is a victory for the defense bar, Bryant is the latest evidence of an ever-increasing circuit split that should culminate in the United States Supreme Court further clarifying its holding in Spokeo v. Robins concerning Article III standing.

Like most BIPA cases, the Bryant complaint was originally filed in Illinois state court. The Bryant plaintiff asserted claims under both sections 15(a) and 15(b) of BIPA. The former relates to the defendant’s failure to make publicly available disclosures, and the latter relates to the defendant’s failure to secure the plaintiff’s individual informed consent. The defendant removed the case to federal court. The plaintiff then moved to remand, ironically contending that she lacked a sufficiently concrete injury in fact to maintain Article III standing to maintain federal court jurisdiction. The defendant paradoxically argued that plaintiff alleged such an injury, relying on the Illinois Supreme Court opinion in Rosenbach v. Six Flags Entm’t Corp., wherein the court held that a violation of the right to receive certain information is an actionable grievance. The novelty of these arguments was not because of their substance, but instead, which side advanced them—an observation that Judge Wood noted in her opinion. Siding with the defendant, the district court remanded the case, and the plaintiff appealed. Continue Reading BIPA Case Addressing Article III Standing Foreshadows Potential SCOTUS Review of Spokeo

Data security is not just hackers in cyberspace. It also exists in the physical world, and some of it relates to pedestrian but necessary security protocols for nuts-and-bolts objects. A recent report of a data leak shows how focusing exclusively on active systems can lead to unexpected and potentially problematic results.

In the story linked above, a manufacturer of connected vehicles replaced a number of its data storage appliances. A white-hat hacker reported that he had purchased four of the replaced units from eBay and found that they still contained the customers’ personal data, including the owners’ home and work locations, all saved wifi passwords, calendar entries from the customers’ phones, call lists and address books from paired phones, and Netflix and other stored session cookies. This incident follows a report from white-hat hackers last year who discovered drivers’ personal information in the electronic systems of salvaged vehicles. Continue Reading Data Security: What Happens at the End of the Road?

Despite its unassuming name, the EARN IT Act has substantial cybersecurity implications, its relative obscurity in today’s coronavirus-obsessed headlines notwithstanding. The Eliminating Abusive and Rampant Neglect of Interactive Technologies (“EARN IT”) Act has already caught the ire of the collective internet and technology spheres due to its dramatic alteration of the safe harbor provisions of Section 230 of the Communications Decency Act (Title V of the Telecommunications Act Of 1996). Although still in the early stages of the legislative process, curbing Section 230’s protections has already garnered substantial support from leaders in both parties, including Joe Biden and Ted Cruz. Therefore, EARN IT’s progress merits close monitoring. Continue Reading Putting in the Work: What Does the EARN IT Act Have in Store for Average Businesses

Recently, we cautioned companies to ensure that their workers’ mobile phones remain secure. On April 23, news about a possible security vulnerability in Apple’s iPhone mail system lends this recommendation additional urgency.

ZecOps, a San Francisco-based mobile security firm, claims to have discovered a hack targeting iPhones’ native email program. This hack is called a “zero click” attack, because unlike a typical “phishing” exploit, which requires the victim to click on a link in an email or text message, a “zero click” exploit can execute without the victim’s action or knowledge. According to ZecOps, the vulnerability enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory. The attackers can trigger the vulnerability before the entire email is downloaded, so the email content will not necessarily remain on the device. In other words, the perpetrators can send an email containing malicious code, and that code can then set off a chain reaction, or an “exploit chain” that overcomes the phone’s defenses and erases its tracks along the way. Such an attack can be nearly impossible to detect. Continue Reading iPhone Hack Highlights Home Office Data Security Risks

The California Consumer Protection Act (“CCPA”) was in effect for just over three months when the American economy stopped cold in the face of the COVID-19 global pandemic. Much effort was expended in the months before the January 1, 2020 effective date to ensure compliance with the CCPA which, like its European cousin, the General Data Protection Regulation (“GDPR”) aspires to protect data and personal information. But also like the GDPR, many anticipated enforcement by the California attorney general (scheduled to begin on July 1, 2020) to provide guidance on how the CCPA would be interpreted and applied. Then the world came to a halt. Literally. Notwithstanding, as discussed in our earlier post, the California Attorney General has signaled that businesses subject to the CCPA should not expect any delays in enforcement. To be clear, privacy concerns did not cease to exist because of the pandemic. These concerns simply took a back seat as the world focused on defeating the virus. But privacy rights may be moving to the forefront again with the advent of COVID-19 tracking applications under consideration by governments seeking to use this technology to contain the spread of the virus. Most recently, on April 10, 2020, Google and Apple announced a joint endeavor to use Bluetooth technology in conjunction with apps from public health authorities to allow contact tracing of those individuals affected with COVID-19. The system is supposed to ensure users’ privacy and operate only with valid consent. See also our recent blog post on Locating COVID-19 Without the Location Data. Although tracking technology is not new–other iterations were used to track other diseases such as the seasonal flu–its use here would be one of the first to be used in the CCPA era. And arguably, the need to comply with the CCPA–passed by referendum in one state–has affected the usefulness of contact tracing solutions in every state. The Apple-Google solution, for example, covers the vast majority of mobile devices and is likely to be the only solution agreed upon by these two companies. It skirts the need to handle geolocation data, reducing the regulatory footprint under the CCPA, but the very lack of geolocation data degrades the usefulness of this system to local governments for finding and locking down hotspots–and to users in avoiding them. Few, if any, privacy professionals envisioned that preparation for CCPA compliance needed to include protocols for responding to governmental requests for data in combatting a public health crisis. But here we are. Continue Reading Will COVID-19 Finally Prompt a Federal Privacy Law?