Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Policy and Regulatory Positioning

Subscribe to Policy and Regulatory Positioning RSS Feed

FTC Delays Decision on Proposal Under COPPA Rule

Posted in Policy and Regulatory Positioning, Technology

Parents and companies will have to wait a few more weeks before learning whether facial recognition technology can be used to verify parental consent under the Children’s Online Privacy Protection Act (COPPA).

The Federal Trade Commission announced on October 23 that it will delay until November 18 its decision on whether to approve a new verifiable pa… Continue Reading

States Try to Make the Grade with Student Data Privacy Efforts

Posted in Data Protection, Policy and Regulatory Positioning

Eight states passed substantive bills during the 2015 legislative session requiring education-focused Internet service, websites and mobile app providers to take measures to protect student data

With students around the country back in school, it’s time for educators and education-focused technology (“EdTech”) service providers to pick up … Continue Reading

Chip-and-PIN (EMV) Credit Card Liability Shift is Oct. 1: Are You Ready?

Posted in Data Protection, Policy and Regulatory Positioning

October 1 is right around the corner. Merchants, retailers, hotels and restaurants: are you ready for what’s in your customers’ wallets?

Starting next month, the payment card industry’s transition to chip-and-PIN (also known as EMV) payment cards will take effect. As part of this transition, merchants, retailers, and all other businesses that a… Continue Reading

DoD New Cyber Security Reporting Rules for Contractors

Posted in Cyber and National Security, Policy and Regulatory Positioning

In a move that highlights the changing winds of federal cybersecurity policy, the Department of Defense (“DoD”) has issued an interim Rule (“Rule”) that imposes new security and reporting requirements on federal contractors, and new requirements for DoD cloud computing contracts.

The Rule requires federal contractors to report cyber incide… Continue Reading

Getting More Personal: California Amends Data Security Law

Posted in Data Protection, Policy and Regulatory Positioning

California’s data security statute will get a little more “personal” as of January 1, thanks to a recently-passed amendment revising the definition of covered personal information.

On July 14 California expanded the definition of “personal information” under its data security statute with the enactment of A.B. 1541 effective January, 201… Continue Reading

What are the Federal Privacy Laws for Businesses?

Posted in Policy and Regulatory Positioning

Does your new business collect personal information about customers or employees?  Do you want to increase your revenues through targeted or behavioral marketing?  Do you want to minimize the risk of personal information being stolen,  and the costly after-effects?

If you answered yes to any of those questions, you need to know the rules of the ro… Continue Reading

Commerce Dept. Reviewing Stakeholder’s Cybersecurity Comments

Posted in Policy and Regulatory Positioning

Stakeholders praise task force’s efforts to develop stakeholder processes to confront cybersecurity issues where regulations might not be effective, but caution against mandatory requirements

The U.S. Department of Commerce’s Internet Policy Task Force (IPTF) is currently reviewing feedback collected in response to a Request for Public CommContinue Reading

FCC’s TCPA Order Offers Little Clarity or Relief for Businesses

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

In potentially its most significant action under the Telephone Consumer Protection Act (TCPA) since 2003, the Federal Communications Commission released its previously-adopted Declaratory Ruling and Order on July 10th in which it resolved 19 petitions seeking declaratory rulings. As we foreshadowed upon the Order’s adoption, it does little to pr… Continue Reading

Connecticut Imposes New Data Security Obligations

Posted in Data Protection, Policy and Regulatory Positioning

New law will require consumer breach notice within 90 days, identity theft protection for consumers,“kill switch” for smartphones, and implementation of data security programs for certain health providers, state agencies and contractors

And Connecticut makes eight.

On the heels of the largest health care insurance and government data breaches … Continue Reading

2015 Data Breach Legislation Six Month Review: Many Proposals, Few Changes

Posted in Policy and Regulatory Positioning

The heat of summer may be upon us, but in Congress and in many state legislatures the attitude toward passing major data breach legislation has considerably cooled.

We predicted some months ago that 2015 might be the year that Congress finally passed national data breach notification legislation, given what appeared to be ample bipartisan support. The ne… Continue Reading

Telephone Surveillance Hang-Ups: Second Circuit Asks Parties in ACLU v. Clapper to Brief Whether the USA Freedom Act Moots Plaintiff’s Claims

Posted in Cyber and National Security, Policy and Regulatory Positioning

Not long after striking down the National Security Agency’s telephone surveillance program in ACLU v. Clapper, the Second Circuit is asking the parties to assess whether recently passed federal legislation has rendered the plaintiff’s claims moot.

On May 7 the Second Circuit Court of Appeals ruled that the NSA’s bulk telephone metadata collecti… Continue Reading

Nevada Expands PI Definition under Data Breach Law

Posted in Policy and Regulatory Positioning

Becomes the fifth state to amend its data breach statute since January 2015

The definition of “personal information” (“PI”) just got a little bit bigger in the Silver State.

On May 13, Nevada Governor Brian Sandoval signed A.B. 179 into law, approving an expansion of what constitutes PI under Nevada’s data breach law. The amendment keeps all of t… Continue Reading

Washington State Amends Data Breach Law

Posted in Policy and Regulatory Positioning

Passage of H.B. 1078 sets a 45-day notification deadline, adds additional notice requirements

Washington Governor Jay Inslee signed H.B. 1078 into law on April 23, revising the state’s data breach notification statute and imposing additional notification requirements on businesses that suffer an unauthorized disclosure of “personal informat… Continue Reading

Are Regulatory Fears Impeding Industry Cyber Sharing?

Posted in Cyber and National Security, Policy and Regulatory Positioning

Business leaders confess that concerns of adverse regulatory actions are impacting industry willingness to share cyberthreat information with authorities

They say that no good deed goes unpunished. And when it comes to cyber sharing, industry leaders are concerned that their only “reward” for helping the government identify and respond to cyber… Continue Reading

Has Your Website’s EU Safe Harbor Expired?

Posted in Global, Policy and Regulatory Positioning

FTC proposes twenty-year compliance program for two companies that have settled charges that they misrepresented that they are currently compliant with the US-EU Safe Harbor Framework.

Does your company rely on the US-EU Safe Harbor Framework in order to transfer personal consumer data about EU residents outside of Europe?  If so, you probably have a s… Continue Reading

Montana Tweaks Data Breach Statute

Posted in Data Protection, Policy and Regulatory Positioning

The Big Sky Country’s data breach statute is going to see some small changes come October.

On Feb. 27, 2015 Montana Governor Steve Bullock signed H.B. 74 into law, amending the state’s data breach notification statute.  Among its changes, H.B. 74 broadens the definition of personal information (“PI”) and requires entities giving notice to con… Continue Reading

Chairman Wheeler Says the FCC Didn’t Just Fall Off the Turnip Truck – It Has Experience with Protecting Consumer Privacy, Too

Posted in Communications/Media, Marketing and Consumer Privacy, Policy and Regulatory Positioning

Last night the Center for Democracy & Technology held its annual dinner (a.k.a. the “Tech Prom”) in Washington, D.C., where  FCC Chairman Tom Wheeler was featured as the keynote speaker.  Wheeler’s remarks came on the heels of the Commission’s vote to adopt new open Internet rules, which are expected to provide the agency with broader aut… Continue Reading

Chip-and-PIN (EMV) Transition: Transition Hampered …

Posted in Data Protection, Policy and Regulatory Positioning

A recent report from the Congressional Research Service (CRS) highlighted a number of factors that are delaying the transition to chip-and-PIN (EMV) cards before the credit card network imposed deadline of Oct. 1, 2015.  The CRS predicted four factors would slow chip-and-PIN adoption in the U.S. – the high cost to implement compatible point-of-sale … Continue Reading

White House Big Data Working Group Claims “Significant Progress” On Executive Branch Privacy Initiatives, But Blames Congress and Big Data Stakeholders for Delaying Important Privacy Legislation and Voluntary Actions

Posted in Cyber and National Security, Policy and Regulatory Positioning

On February 5 the White House big data and privacy working group released an “Interim Progress Report” (hereinafter “the Interim Report”) summarizing its “progress in furthering the majority of the recommendations made” in its May’s 2014 report, “Big Data: Seizing Opportunities, Preserving Values” (hereinafter “the Big Data R… Continue Reading

Farewell, Federal Cybersecurity Incentives?

Posted in Cyber and National Security, Policy and Regulatory Positioning

Administration Takes Private Sector Incentives Off the Table, While Obama Calls for $14 Billion in FY 2016 Budget to Strengthen Government’s Cybersecurity Efforts

The White House’s Cybersecurity Coordinator Michael Daniel announced on Monday that the government will not offer incentives for private sector businesses to adopt… Continue Reading

Law360 Talks to Christopher Avery About New York’s Data Security Proposal

Posted in Data Protection, Policy and Regulatory Positioning

Last week we summarized the four must-know things regarding the New York Attorney General’s new data security proposal. Commentary still surrounds the proposal and has wide appeal. Christopher Avery offered the following insights to Law 360:

“The 47 state breach notification laws are reactive…But the New York proposal, instead of being rea… Continue Reading