Data Protection & Cybersecurity 2019

Last Updated May 08, 2019

Trends and Developments


Authors



Wilson Sonsini Goodrich & Rosati includes in its privacy and cyber-security team former senior officials in the Federal Trade Commission's Bureau of Consumer Protection, US Department of Justice's National Security Division, and the US Department of Defense. WSGR helps companies navigate the complex and ever-changing set of laws, regulations, and industry standards that govern the collection, storage, and use of information. With an insider's perspective on policy and enforcement culture, coupled with a real-world understanding of true litigation risk and industry practices, the firm provides an unparalleled combination of practical and policy experience. In addition to former senior government officials, WSGR’s team includes leading privacy litigators and a deep bench of compliance attorneys, transactional lawyers, and legislative and regulatory strategists. The team is based in Austin, Brussels, London, Palo Alto, San Francisco, and Washington D.C. WSGR’s privacy and cyber-security group has extensive experience with government investigations, enforcement actions, and litigation, with unique expertise in complex multi-jurisdictional privacy investigations and litigation. The firm's privacy and cyber-security attorneys represent companies that use or rely on data as part of their business. Among many other matters, the practice regularly provides practical advice on how companies can collect, use, and share data and still comply with the web of ever-changing privacy laws; defends companies in class-action and other privacy-related litigation; devises thoughtful and effective business and legal responses to security breaches; helps to create, enhance, and audit privacy and data security policies and programmes; develops and implements global compliance programmes; and counsels clients on compliance with regulations related to advertising and marketing in new media, including the use of endorsements and user-generated content.

California Consumer Protection Act of 2018

In June 2018, the California state legislature passed the California Consumer Protection Act of 2018 (CCPA), a ground-breaking state privacy law that aims to give Californians more control over their personal information. The CCPA is currently set to come into effect in January 2020, with State Attorney General enforcement beginning in July 2020. It applies to for-profit entities doing business in California that collect personal information from California consumers, and either:

  • have gross annual revenues in excess of USD25 million; or
  • alone or in combination, annually buy, receive for commercial purposes, sell, or share for commercial purposes, the personal information of at least 50,000 consumers, households or devices; or
  • derive at least 50% of annual revenues from selling consumers’ personal information.

‘Personal information’ and ‘sale’ are defined very broadly under the statute. How these terms will be interpreted in practice will have far-reaching consequences for businesses, particularly those with ad-based revenue models.

The CCPA was originally passed on an accelerated legislative time-line in order to avoid a restrictive ballot initiative. As a result, a number of open questions remain about how it overlaps with existing laws and how it will apply to businesses. The CCPA has already been amended to clarify internal inconsistencies and errors, and the California Attorney General’s office will draft rules implementing the CCPA requirements by July 2020. The Attorney General’s office is holding a series of six public forums on its implementation, which will inform its rule-making. 

Although the CCPA may not be set in stone, a number of basic requirements are unlikely to change. These include:

  • notice requirements (eg, informing consumers of the categories of personal information collected and the purposes for which that information will be used);
  • access and deletion rights (eg, disclosing to requesting consumers the categories and specific pieces of personal information collected about the consumer, the sources from which that information is collected, the business or commercial purposes for collecting or selling that information, and the categories of third parties with whom that information is shared); and
  • opt-out rights (eg, notifying consumers of their right to opt out of having their personal information sold to third parties by providing a clear and conspicuous link on their website homepage or app titled ‘Do Not Sell My Personal Information’).

Federal Privacy Legislative Proposals

In the United States, there is no comprehensive privacy law that regulates the collection, use and disclosure of consumers’ personal information. The US has adopted a decentralised, sectoral approach to privacy that has resulted in a patchwork of industry- and state-specific laws, such as the Fair Credit Reporting Act (FCRA), Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), 50 state data-breach laws, and state biometric privacy laws, among others. In addition, the Federal Trade Commission (FTC) uses its authority under section 5 of the FTC Act to deter ‘unfair and deceptive’ acts or practices in or affecting commerce, which includes business practices relating to privacy.

The US privacy framework has come under increased scrutiny in light of recent privacy headlines and the omnibus approach to privacy reflected in laws such as the EU General Data Protection Regulation (GDPR) and the CCPA. Much of this debate focuses on how much authority the FTC should have to police privacy, whether a federal privacy law should pre-empt state privacy laws, and how to give consumers control of their privacy online most effectively. A number of Congressional hearings have been held on consumer privacy over the past few months, and at least seven bills have been introduced in Congress that, if passed, could significantly affect companies in the business of collecting personal information from consumers.

For example, in April 2018, Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) introduced the CONSENT Act (S. 2639), a bill that would require the FTC to establish privacy protections for customers of online edge providers (eg, Facebook). A few months later, Senator Ron Wyden (D-OR) released a discussion draft of the Consumer Data Protection Act of 2018, a bill that would authorise the FTC to establish minimum privacy and cyber-security standards, issue fines of up to 4% of annual revenue for first offences, and impose ten- to 20-year criminal penalties on senior executives. In January 2019, Senator Marco Rubio (R-FL) introduced the American Data Dissemination Act, a bill modelled after the federal Privacy Act of 1974 that would supersede any provision of state law to the extent it relates to the maintenance of records covered by the Act or any other personally identifiable information. Although federal privacy legislation has historically faced long odds for passage, there may be sufficient momentum now for legislation to be approved.

FTC Hearings on Competition and Consumer Protection

The FTC has held a series of public hearings on competition and consumer protection in the 21st century to examine whether changes in the economy, business practices, technologies and international developments require adjustments of the Commission’s approach to consumer protection law, enforcement priorities and policy. Topics on the agenda included privacy, big data and competition; algorithms, artificial intelligence and predictive analytics; data security; and consumer privacy. According to the FTC’s website, the hearings may identify areas for FTC enforcement and policy guidance, including improvements to the agency’s investigation and law enforcement processes, as well as areas that warrant additional study.

The data security hearings were held at the FTC on 11-12 December 2018. They included opening remarks from the director of the bureau of consumer protection, Andrew Smith, presentations and discussions on data security research and emerging threats, and panels on incentives to invest in data security, consumer demand for data security, data security assessments and enforcement and the US approach to consumer data security. The FTC accepted comments on these hearings until 13 March 2019.

The consumer privacy hearings are scheduled for 9 to 10 April 2019. The FTC is re-examining the approach it took to consumer privacy in 2009-2012, when it last engaged the public on privacy issues in a comprehensive way. According to the FTC, this re-examination will include addressing fundamental questions about the goals of privacy policy-making and enforcement in light of rapidly evolving changes in law and technology, such as the proliferation of mobile apps, mobile payment systems and internet-connected devices, the GDPR and state biometrics laws. It will also include reassessing the Commission’s case-by-case approach to privacy and whether current definitions of consumer injury are sufficient to address privacy concerns.

FTC Data Security Orders

The FTC’s authority to issue broad-data security orders recently came into question after the US Court of Appeals for the Eleventh Circuit vacated an FTC order requiring now-defunct medical laboratory LabMD to overhaul its data security programme. Specifically, the court found that the FTC’s mandate that the company implement a comprehensive information security programme was not specific enough to be enforceable. Rather than containing any prohibitions on committing specific acts or practices, the court found that the order required LabMD to overhaul and replace its data security programme to meet an “indeterminable standard of reasonableness” that was too vague to be understood or implemented.

The court’s ruling has significant implications for businesses that are or could be subject to a comprehensive data security order. The broad requirement to implement a comprehensive data security programme has been a common fixture in FTC data security orders since the Commission first imposed such a requirement in its settlement with Eli Lilly in 2002. The FTC has imposed similar obligations in privacy cases, such as in its settlement with Facebook in 2012. As a result, the court’s decision raises questions about how the Commission may proceed in privacy and data security enforcement actions in the future and whether the Commission will need to provide more specificity in its data security and privacy orders.

Cyber-Incident Disclosures

In February 2018, the SEC adopted a statement and interpretive guidance to assist public companies in preparing disclosures about cyber-security risks and incidents. Although the SEC has focused on cyber-security for years, the release is the first formal guidance issued by the agency to date. The new guidance provides the SEC’s views about public companies’ disclosure obligations under existing laws with respect to matters involving cyber-security risk and incidents. It also addresses cyber-security policies and procedures, disclosure controls and procedures, insider trading prohibitions and Regulation FD and selective disclosure prohibitions in the cyber-security context.

Just a few months after adopting this guidance, the SEC announced a USD35 million settlement with Altaba, formerly known as Yahoo! Inc, for allegedly misleading investors by failing to disclose a data breach that occurred in 2014. According to the SEC’s order, within days of the intrusion, the company’s security team learned that hackers had stolen its ‘crown jewels,’ ie, usernames, email addresses, phone numbers, birth dates, encrypted passwords and security questions and answers for hundreds of millions of user accounts. The SEC alleged that Yahoo! failed to investigate properly the circumstances of the breach and to consider adequately whether it needed to be disclosed to investors, even though information relating to the breach was reported to Yahoo! senior management and its legal department.

Most recently, in October 2018, the SEC issued an investigation report, finding that nine companies that suffered business email compromise (BEC) had insufficient internal controls to prevent such attacks. Although the Commission did not charge any of the companies profiled in the report, it is another example of the SEC's efforts to increase enforcement and oversight of public companies' cyber-security controls and governance processes.

The SEC’s active interest in this area serves as a potent reminder to companies that they should consider, among other things, whether they are sufficiently disclosing cyber-security risks and costs in annual and quarterly disclosures. They should also consider whether their incident response plans account sufficiently for disclosure obligations, the need to close trading windows, and the possibility of issuing public disclosures regarding the incident.

Wilson Sonsini Goodrich & Rosati

1700 K Street NW
Fifth Floor,
Washington, DC 20006-3814

+1 202 973 8800

+1 202 973 8899

lparnes@wsgr.com www.wsgr.com
Author Business Card

Authors



Wilson Sonsini Goodrich & Rosati includes in its privacy and cyber-security team former senior officials in the Federal Trade Commission's Bureau of Consumer Protection, US Department of Justice's National Security Division, and the US Department of Defense. WSGR helps companies navigate the complex and ever-changing set of laws, regulations, and industry standards that govern the collection, storage, and use of information. With an insider's perspective on policy and enforcement culture, coupled with a real-world understanding of true litigation risk and industry practices, the firm provides an unparalleled combination of practical and policy experience. In addition to former senior government officials, WSGR’s team includes leading privacy litigators and a deep bench of compliance attorneys, transactional lawyers, and legislative and regulatory strategists. The team is based in Austin, Brussels, London, Palo Alto, San Francisco, and Washington D.C. WSGR’s privacy and cyber-security group has extensive experience with government investigations, enforcement actions, and litigation, with unique expertise in complex multi-jurisdictional privacy investigations and litigation. The firm's privacy and cyber-security attorneys represent companies that use or rely on data as part of their business. Among many other matters, the practice regularly provides practical advice on how companies can collect, use, and share data and still comply with the web of ever-changing privacy laws; defends companies in class-action and other privacy-related litigation; devises thoughtful and effective business and legal responses to security breaches; helps to create, enhance, and audit privacy and data security policies and programmes; develops and implements global compliance programmes; and counsels clients on compliance with regulations related to advertising and marketing in new media, including the use of endorsements and user-generated content.

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.