Consumer Protection Connection

Consumer Protection

State Data Breach Notification Laws – Overview of Requirements for Responding to a Data Breach (Updated June 2016)

Posted in Data Security, Privacy, Regulations

We have updated our summary of state data breach notification laws in light of recent amendments to some of the laws since our last update in September 2015.

Notably, Tennessee amended its data breach notification law, the Identity Theft Deterrence Act, effective July 1, 2016, by eliminating an encryption safe harbor and requiring that affected residents be notified of a breach affecting their personal information immediately, and no later than 45 days after discovery of the breach.  Thus, the notification obligation extends to all computerized data that is subject to unauthorized acquisition, regardless of whether the data is encrypted or unencrypted.  Tennessee is the first state to extend data breach notification obligations to encrypted data.

Illinois also amended its data breach notification law, the Personal Information Protection Act (PIPA), effective January 1, 2017.  Consistent with some other state laws, the amendments to PIPA expand the definition of “personal information” to include medical information, health insurance information, and unique biometric data when used with an individual’s first and last name, as well as a user name or e-mail address plus a password or security question and answer that would provide unauthorized access to an online account.  In addition, covered entities and business associates that are subject to the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act and are required to notify the Secretary of Health and Human Services of a breach will be deemed to be in compliance with PIPA if they notify the Illinois Attorney General of the breach within five business days of notifying the Secretary.

To view the latest summary on our website and/or download a copy, click here.

FAA Paves the Way for More Ubiquitous Use of Drones

Posted in Regulations

On June 21, 2016, the Federal Aviation Administration (FAA) released its much-anticipated new Small Unmanned Aircraft System (UAS) Rule (Part 107). Simultaneously with its release, the White House issued a Fact Sheet for the new Rule. The Rule permits the operation of small UAS (an unmanned aircraft weighing less than 55 pounds) in the National Airspace System, and paves the way for the more ubiquitous use of UAS (aka drones) for commercial, public safety, scientific, and educational purposes.

The FAA has historically accommodated non-recreational small UAS use through special airworthiness certificates, exemptions, and certificates of waiver or authorization. In its latest annual Aerospace Forecast Report for Fiscal Years 2016 to 2036, the FAA noted that, as of March 16, 2016, more than 4,000 exemptions had been granted for commercial UAS operations, and the FCC had received approximately 408,000 registration applications for UAS weighing less than 55 pounds.

The new Rule will permit UAS operations for applications such as the delivery of consumer goods, inspections of cell phone towers, bridges, pipelines, electric lines, and oil rigs, crop monitoring, search and rescue missions, research and development, and aerial photography, to name a few. The Rule limits small UAS to daylight and twilight operations with appropriate collision lighting, confined areas of operation, and visual-line-of-sight operations, and imposes operational limitations and remote pilot in command certification and responsibilities. There is a waiver mechanism to accommodate new technologies and unique circumstances if a proposed operation can be conducted safely under the terms of a certificate of waiver.

While the FAA’s new Rule does not address privacy issues, this is a developing area that will remain at the forefront. Several Federal agencies have instituted UAS privacy pursuant to a Presidential Memorandum issued last year, Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems. In addition, the National Telecommunications and Information Administration (NTIA) convened a multi-stakeholder process to examine the privacy, transparency, and accountability issues relating to commercial and private use of UAS. NTIA recently released an updated Voluntary Best Practices for UAS Privacy, Transparency, and Accountability, which focuses on when UAS operators should provide notice and/or obtain consent from individuals whose personal data they collect, and how such data should be used, shared, and stored.

The small UAS Rule is the first of many steps in the advancement of aviation technologies to enhance operational efficiencies, public health and safety, and quality of life.

Preparing for the EU General Data Protection Regulation: A Checklist for Businesses

Posted in Data Security, Privacy

The new European Union General Data Protection Regulation (GDPR) (Regulation 2016/679, Apr. 27, 2016) will replace the Data Protection Directive (Directive 95/46/EC) effective May 25, 2018.  The GDPR has been a long time coming, and introduces a host of new requirements for companies that use or process data in the EU, or simply use or process data about EU citizens anywhere in the world outside of the United States.  The reforms will give European consumers new rights and control over their personal information, and impose new obligations on businesses, to the extent that they collect personal information from EU citizens, regardless of where they reside, or individuals who reside in the EU, regardless of their nationality.

Given the magnitude of new requirements in the GDPR, it will be important for companies to begin the compliance process now.  A good starting point is for businesses to assess their current practices and identify gaps, and use that to map out a step by step compliance plan specific to their data collection practices that fully prepares them for the new GDPR world in 2018.

Keller and Heckman LLP attorneys have prepared a summary of the key requirements in the GDPR and a compliance checklist for businesses.  To view them on our website and/or download a copy, click here.  For more information on the GDPR or other privacy and data security matters, please contact Sheila Millar (+1 202.434.4143, or Tracy Marshall (+1 202.434.4234,

Supreme Court Requires Plaintiffs to Show Harm or Risk of Harm, Not Bare Procedural Violation, to Get Statutory Damages

Posted in Cybersecurity, Data Security, Litigation, Privacy
SCOTUS at dusk, Joe Ravi | CC-BY-SA 3.0
Joe Ravi | CC-BY-SA 3.0

Last year, we noted that the Supreme Court had granted certiorari in a case that could limit the ability of plaintiffs to sue defendants over bare statutory violations without the showing of actual injury. The case implicates a wide variety of statutes that grant monetary awards to successful plaintiffs on the basis of statutory violations. In order to pursue a claim in federal court, a plaintiff must demonstrate standing (the right to be heard in court), which requires (among other things) an “injury in fact,” which occurs when a legally protected interest is invaded and that invasion is “concrete and particularized.”

Here, in Spokeo, Inv. v. Robins, plaintiff Thomas Robins alleged that Spokeo was covered by the Fair Credit Reporting Act (FCRA) and violated the statute by providing inaccurate information about him through its “people search engine” website. Willful violations of the FCRA allow consumers to seek statutory damages of $100 to $1,000, plus punitive damages.

The Supreme Court decided against the plaintiff, concluding that a “bare procedural violation” cannot satisfy Article III, and remanding the case. Justice Alito wrote for the majority:

Congress plainly sought to curb the dissemination of false information by adopting procedures designed to decrease that risk. On the other hand, Robins cannot satisfy the demands of Article III by alleging a bare procedural violation. A violation of one of the FCRA’s procedural requirements may result in no harm.

So, violating mere procedural niceties will not necessarily meet the injury-in-fact requirement. The Court was, however, careful to note that “intangible injuries can nevertheless be concrete,” and a “concrete” injury can incorporate a “real risk of harm.” Thus, “[f]or example, the law has long permitted recovery by certain tort victims even if their harms may be difficult to prove or measure.” A risk of injury that is substantial enough may satisfy the concreteness element of the injury-in-fact requirement. As a counterexample, the court noted that “[i]t is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.”

On this basis, the Court vacated the Ninth Circuit’s finding that Robins “particularized” injury satisfied the injury-in-fact requirement. A particularized injury is necessary—the Court took no issue with the Ninth Circuit’s finding on that point – but not sufficient. The Court directed the Ninth Circuit to conduct further analysis of whether “whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement” of Article III standing requirements.

Going forward, under a variety of federal statutes, plaintiffs for whom Congress has provided damages will need to prove not merely that a statute was violated but will have to inquire whether a statutory or procedural violation actually meets the concreteness requirement, including by showing that the procedural violation is not only in violation of procedural requirements, but also showing that the violation “harm[s] or presents the risk of harm.” For claims under statutes that authorize minimum monetary damages for statutory violations—such as the Telephone Consumer Protection Act (TCPA), which authorizes $500 to $1,500 in damages for unsolicited text messages—harms or risks of harm may be hard to prove.

Justice Alito was joined by Chief Justice Roberts, and Justices Kennedy, Thomas, Breyer, and Kagan. Justice Thomas also concurred, and Justice Ginsburg dissented, joined by Justice Sotomayor.

GDPR Publication Starts Countdown to May 2018 Compliance Date for New Privacy Rules

Posted in Legislation, Privacy, Regulations
EU Flag

The new General Data Protection Regulation (GDPR) (Regulation 2016/69, Apr. 27, 2016), approved by the European Parliament and the Council of the European Union, was formally published in the Official Journal of the European Union on May 4, 2016, and will replace the Data Protection Directive (Directive 95/46/EC) effective May 28, 2018. This new set of requirements has been a long time coming, but brings a host of new requirements important to companies that use or process data in the EU or simply use or process data about EU citizens anywhere in the world outside the U.S. Unlike a directive, the GDPR does not require enabling legislation by Member States to apply, but Member State action is nonetheless anticipated in areas like updating penalties and defining a “child” for purposes of the Regulation.

Among the key requirements created by the GDPR are the following:

  • Companies outside the EU that are targeting EU consumers will be subject to the GDPR.
  • Data controllers will be required to maintain paperwork, and to conduct Privacy Impact Assessments (PIAs) for more sensitive types of data processing.
  • Data subjects’ consent must be clear, unambiguous, and—for sensitive data—explicit; consent may also be withdrawn.
  • A single data protection authority (DPA) will be able to be the “lead DPA,” enabling the lead DPA and other concerned DPAs to handle local or urgent cases in manner that will (hopefully) be more streamlined.
  • DPAs will be authorized to impose fines of up to 4% of global annual turnover for certain infringements, or 2% for less serious infringements.
  • Notifications of data breaches must be accomplished within 72 hours of learning of the breach, where feasible, although notification need not be made to the DPA if it is unlikely to result in risk to the rights or freedoms of individuals.
  • Many companies will be required to designate a data protection officer (DPO).
  • Special rules will apply to children’s data. Unlike the U.S., where a “child” is defined as “under 13” per the Children’s Online Privacy Protection Act (COPPA), Member States have the ability to establish an age between 13 and 16 as the age of a “child” for purposes of the GDPR. Divergence could create real headaches for businesses given practical limitations of getting “verifiable parental consent” when dealing with teens.

The GDPR comes at a sensitive time for many companies, with tensions over the “right to be forgotten” and the EU-U.S. Privacy Shield continuing to garner criticism from some DPAs. Companies with business or customers in the EU should begin preparing for the GDPR, if they have not begun already. Creating the relevant structures and laying out appropriate documentation will rapidly consume the two years before the GDPR applies mandatorily. The starting point for many companies will be to assess current practices and identify gaps now and use that to map out a compliance plan that fully prepares them for the new GDPR world in 2018.

Millar to Lead Toy Marketing Panel at CARU

Posted in Events, Privacy

Even as advertising to kids gets more complicated, the basic principles remain the same.

This week, Children’s Advertising Review Unit (CARU), an independent self-regulatory organization within the Council of Better Business Bureaus (CBBB) which monitors children’s advertising and helps marketers vet ads and campaigns, is hosting its annual conference, “Reimagining Children’s Advertising: Getting it Right in an Evolving Landscape,” in Marina del Rey, California. This dynamic program will bring together legal experts and major children’s advertisers to examine the children’s marketing landscape. Longtime CARU supporter and participant Sheila Millar will moderate a panel on marketing toys—“To Infinity and Beyond! Toy Story: What You Need to Know When Marketing Toys.” This panel will address the unique challenges when marketing both new and traditional toys and games to children.

Millar to Speak on Green Marketing at Foodservice Packaging Conference

Posted in Advertising

Environmental claims are attractive to marketers because they are attractive to consumers. The Federal Trade Commission (FTC) has issued guidance—the Guides for the Use of Environmental Marketing Claims, or Green Guides—to help industry assess what consumers will understand about various “green” claims. Among the most important claims is whether a product is “recyclable,” and determining when an unqualified claim of recyclability can be made is based in large part on the availability of recycling to consumers. The more broadly consumers in the sales area will have access to recycling, the stronger a marketer’s claim of recyclability can be. Less access means that a marketer must qualify its claim, which also (necessarily) reduces its impact.  Because the term “recyclable” is so important to marketers, and because its use is predicated on showing consumer access to recycling facilities, studies demonstrating the availability of recycling are critical substantiation tools in the field of green claims.  Similarly, substantiation requirements for other claims, like non-toxic, renewable, degradable and the like, often require a specific understanding of relevant standards, with the overlay of assessing implications from a consumer perception standpoint. 

Keller and Heckman partner Sheila Millar will address recyclable and other green claims at this week’s FPI Spring 2016 Conference during a panel session on “Environmental Marketing Claims and Foodservice Packaging.” The panel will also discuss results of a new “availability of recycling programs” study and what it means for the foodservice packaging industry. Established in 1933, the Foodservice Packaging Institute (FPI) is the trade association for the foodservice packaging industry in North America. FPI’s members include raw material and machinery suppliers, packaging converters, foodservice distributors and operators/retailers. The conference is being held in Ponte Vedra Beach, Florida.

California Adds Styrene to Proposition 65 List; Proposes NSRL

Posted in Product Safety, Regulations, Uncategorized

On April 22, 2016, California’s Office of Environmental Health Hazard Assessment (OEHHA) added styrene to the Proposition 65 list of carcinogens. OEHHA maintains a list of chemicals required under Proposition 65 (formally, the California Safe Drinking Water and Toxic Enforcement Act) that are “known to the state” to be reproductive toxicants or carcinogens based on Proposition 65 criteria. OEHHA also proposed a No Significant Risk Level, or NSRL, for styrene of 27 µg per day. Under Proposition 65, companies that sell products in the state must inform consumers if their products or establishments will expose consumers to a listed chemical above the NSRL.

OEHHA’s listing follows a litigation settlement with the Sierra Club. The settlement agreement required OEHHA to decide whether to list a number of substances under Proposition 65’s “authoritative bodies” listing mechanism if there is sufficient evidence to conclude that the chemical is a carcinogen to humans. OEHHA’s listing is based on a 2011 action by the National Toxicology Program’s (NTP) Report on Carcinogens, which listed styrene as “reasonably anticipated to be a human carcinogen.”

Comments on the proposed NSRL are due by June 6, 2016.

NTIA Steps into IoT Debate

Posted in Cybersecurity, Privacy
NTIA Steps into IoT Debate

Continuing its tradition of active involvement in digital economy questions, the Department of Commerce’s (DOC) National Telecommunications and Information Administration (NTIA) issued a request for public comment on questions posed by the growth of the Internet of Things (IoT). The explosive growth of connected products, anticipated to reach 25 billion by 2020, is one reason for the request for comment. The request for comment is intended to reflect the “four pillars” of DOC’s Digital Economy Agenda: promoting a free and open Internet worldwide; promoting trust and confidence online; ensuring Internet access for workers, families and companies; and promoting innovation in the digital economy.

NTIA seeks comment on a range of IoT questions grouped under various headings, including general, technology, infrastructure, policy and international engagement. Questions touch on technical and policy opportunities to promote (or hinder) growth, challenges (including privacy and cybersecurity, impacts on rural communities, etc.), infrastructure needs (interoperability, standards, spectrum, available network infrastructure, etc.) and international engagement. NTIA has previously sponsored several multi-stakeholder workshops, including a current initiative on facial recognition technology, and specifically solicits comment on whether a multi-stakeholder initiative would be useful. After receiving comments, NTIA will use the input to draft a “green paper” identifying key issues affecting deployment of IoT, discussing potential benefits and challenges, and outlining roles for the federal government in advancing IoT technologies in collaboration with the private sector. Comments are due by 5 p.m. ET on May 23, 2016.

Appeals Court Agrees That Health Solutions Provider’s Insurance Requires Defense in Data Disclosure Class Action

Posted in Data Security, Litigation, Privacy

Availability of insurance is often among the first questions that arises when a company encounters a data breach or other Internet-related problem involving company records, even where the company lacks a cyberinsurance policy. The federal Fourth Circuit Court of Appeals recently affirmed a ruling by a District Court that required insurance coverage for an inadvertent disclosure of private healthcare information under the policy’s provisions regarding the publication of material that may give “unreasonable publicity” to, or disclose information about, a person’s private life. Travelers Indem. Co. v. Portal Healthcare Solutions, LLC, Case No. 14-1944 (4th Cir. April 11, 2016) (unpublished).  Two patients of Portal Healthcare who found their medical information through a Google search filed a class action suit against the hospital for allegedly having inadvertently made hospital medical records available and unprotected on the Internet. Portal then sought coverage against its insurer, Travelers Indemnity Company.

Travelers, in turn, sought a declaratory judgment that it was not obliged to defend Portal under the traditional policies that Portal had purchased. The trial court found coverage under policy language covering an injury arising from the “electronic publication of material” that discloses information about a person’s private life. See Travelers Indem. Co. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014). This type of traditional invasion of privacy claim has historically been covered by this type of policy. According to the trial court, the private medical information was “published” because it was available to everyone on the Internet—even though it was unclear whether anyone besides the two plaintiffs had ever accessed it—and because the information clearly related to the patient’s private life. The appellate court agreed with the trial court’s reasoning and affirmed the finding that Travelers had a duty to defend Portal in the suit.

Whether a particular insurance policy will cover a particular data breach depends on the terms of the relevant provisions, and this case may represent a unique situation in both the contractual terms and the facts surrounding the alleged breach. However, the appeals court’s decision is a persuasive reminder that insurance policies are generally read to benefit the insured where possible and where ambiguity lies. Companies managing their data flows should ensure that agreements with vendors appropriately to maximize data protections and appropriately apportion responsibility in the event of breach. Insurance coverage is also an important consideration. In this era of exponential growth in data breach litigation, companies should also carefully examine insurance policies for both coverage and for exclusions, as the insurance industry’s response to this sort of coverage decision may involve added limits on the types of claims that are covered.


Consumer Protection Connection