Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Policy and Regulatory Positioning

Subscribe to Policy and Regulatory Positioning RSS Feed

Washington State Amends Data Breach Law

Posted in Policy and Regulatory Positioning

Passage of H.B. 1078 sets a 45-day notification deadline, adds additional notice requirements

Washington Governor Jay Inslee signed H.B. 1078 into law on April 23, revising the state’s data breach notification statute and imposing additional notification requirements on businesses that suffer an unauthorized disclosure of “personal information” (PI). The new bill does the following:

  • Expands coverage to hard copy data as well as electronic or “computerized” data;
  • Requires notification of the Washington Attorney General if more than 500 Washington residents are required to be notified;
  • Imposes a 45-day deadline for notification of affected consumers and, when required, of the Washington Attorney General;
  • Empowers the Washington Attorney General to enforce the statute by bringing actions under the state’s consumer protection act;
  • Mandates certain content in the consumer notification, including the name and contact information of the reporting business, a list of the types of PI subject to the breach, and the toll-free telephone numbers and addresses of consumer reporting agencies;
  • Introduces a safe harbor for PI that is “secured” or encrypted in a manner that meets or exceeds the National Institute of Standards and Technology (NIST) standard “or is Otherwise modified so that it is rendered unreadable, unusable, or undecipherable by
... Continue Reading

Are Regulatory Fears Impeding Industry Cyber Sharing?

Posted in Cyber and National Security, Policy and Regulatory Positioning

Business leaders confess that concerns of adverse regulatory actions are impacting industry willingness to share cyberthreat information with authorities

They say that no good deed goes unpunished. And when it comes to cyber sharing, industry leaders are concerned that their only “reward” for helping the government identify and respond to cyberthreats may be a stiff rebuke from their regulators.

In a recent survey on cybersecurity by Mayer Brown, industry executives and corporate counsels polled revealed that concerns about regulators taking adverse enforcement actions against them has an impact on their willingness share cyberthreat information with authorities. Of those industry leaders that responded, 44 percent admitted that adverse regulatory actions have a moderate to significant impact on their desire to share cyber threat information with the government. Perhaps because of this fear, industry leaders also appear reluctant to develop strong cybersecurity ties with government agencies: 41 percent of responding leaders stated that their companies did not have a close relationship with one or more government entities that oversee cybersecurity issues, while 24 percent stated that they did not know whether their company had any such relationships.

As we wrote previously, President Barack Obama is trying to spur cyber sharing and ... Continue Reading

Has Your Website’s EU Safe Harbor Expired?

Posted in Global, Policy and Regulatory Positioning

FTC proposes twenty-year compliance program for two companies that have settled charges that they misrepresented that they are currently compliant with the US-EU Safe Harbor Framework.

Does your company rely on the US-EU Safe Harbor Framework in order to transfer personal consumer data about EU residents outside of Europe?  If so, you probably have a statement like the following in your website’s privacy policy: “We comply with the US-EU Safe Harbor Framework and have certified our adherence to the Safe Harbor Privacy Principles.”  If this statement is not accurate because your Safe Harbor status has lapsed, the Federal Trade Commission may bring an action against your company alleging that your privacy policy is false and misleading in violation of Section 5 of the FTC Act.  The FTC has brought twenty-six enforcement actions related to the Safe Harbor to date.

The Safe Harbor was originally negotiated between the European Commission and Department of Commerce and went into effect in 2000.  As we previously noted, the US Government has taken a number of actions in the last year to bolster and demonstrate its commitment to the Safe Harbor.  The Safe Harbor allows US companies to lawfully transfer personal data on EU ... Continue Reading

Montana Tweaks Data Breach Statute

Posted in Data Protection, Policy and Regulatory Positioning

The Big Sky Country’s data breach statute is going to see some small changes come October.

On Feb. 27, 2015 Montana Governor Steve Bullock signed H.B. 74 into law, amending the state’s data breach notification statute.  Among its changes, H.B. 74 broadens the definition of personal information (“PI”) and requires entities giving notice to consumers under the statute to also provide a copy to the Montana Attorney General’s office.

The amendments, which go into effect October 1, 2015, are slight changes to the state law rather than major changes. For instance, H.B. 74 expands the present definition of PI to now include medical record information (as defined in Mont. Code Ann. § 33-19-104), taxpayer identification numbers and identity protection personal identification number  issued by the federal Internal Revenue Service.

H.B. 74 further requires entities who give notice under Montana’s data breach statute to also simultaneously submit an electronic copy of the notice along with the number of in-state individuals who were notified to the Montana Attorney General’s Consumer Protection Office.

While States Move Forward, Data Breach Bills Wait on Capitol Hill

Montana’s amendments come on the heels of Wyoming’s recent, and much more extensive, changes to its data breach ... Continue Reading

Chairman Wheeler Says the FCC Didn’t Just Fall Off the Turnip Truck – It Has Experience with Protecting Consumer Privacy, Too

Posted in Communications/Media, Marketing and Consumer Privacy, Policy and Regulatory Positioning

Last night the Center for Democracy & Technology held its annual dinner (a.k.a. the “Tech Prom”) in Washington, D.C., where  FCC Chairman Tom Wheeler was featured as the keynote speaker.  Wheeler’s remarks came on the heels of the Commission’s vote to adopt new open Internet rules, which are expected to provide the agency with broader authority over consumer privacy, as well as the means to enforce it.  The Chairman’s message was presented in the form of a conversation with CDT’s President Nuala O’Connor, who prompted discussions about the FCC’s role in protecting consumer privacy.  While giving a nod to the “great work” that the Federal Trade Commission has done in this space, Wheeler reminded the packed ballroom that the FCC “didn’t just fall off the turnip truck.”  Through CALEA, CPNI, and the activities associated with the FCC sponsored Communications Security, Reliability and Interoperability Council (CSRIC), Wheeler said the agency has been working to protect consumer privacy in the past, and will continue to do so in the future.

Exactly what the new open Internet rules will say about consumer privacy and the FCC’s role is still unclear, as we wait for the 300+ page order to be released (and the ... Continue Reading

Chip-and-PIN (EMV) Transition: Transition Hampered …

Posted in Data Protection, Policy and Regulatory Positioning

A recent report from the Congressional Research Service (CRS) highlighted a number of factors that are delaying the transition to chip-and-PIN (EMV) cards before the credit card network imposed deadline of Oct. 1, 2015.  The CRS predicted four factors would slow chip-and-PIN adoption in the U.S. – the high cost to implement compatible point-of-sale readers and the high costs to issue new cards, the relatively low adoption level to date, the decision by some credit card issuers to deploy chip-and-signature cards and not use an integrated PIN, and regulatory uncertainty. The report also highlighted that it is yet to be seen whether signature verification will be as effective at reducing card present fraud as PIN verification. A copy of the full report is available here.


PCI Council: SSL Will No Longer Be Sufficient for E-Commerce

Legal Departments: Are Your Ready for The New PCI DSS Requirements?

Chip-and-PIN is Coming … To the US Government


Christopher Avery is a privacy and data security attorney in Davis Wright’s New York City office.  He advises clients on U.S. and international privacy laws and regulations pertaining to consumer privacy, employee privacy, data security, and cybersecurity. Christopher regularly counsels companies on Payment ... Continue Reading

White House Big Data Working Group Claims “Significant Progress” On Executive Branch Privacy Initiatives, But Blames Congress and Big Data Stakeholders for Delaying Important Privacy Legislation and Voluntary Actions

Posted in Cyber and National Security, Policy and Regulatory Positioning

On February 5 the White House big data and privacy working group released an “Interim Progress Report” (hereinafter “the Interim Report”) summarizing its “progress in furthering the majority of the recommendations made” in its May’s 2014 report, “Big Data: Seizing Opportunities, Preserving Values” (hereinafter “the Big Data Report”), discussed here.

The Big Data Report followed President Obama’s call “to explore how [big data is] changing our economy, our government, and our society,” and its “implications on personal privacy.”   While much of The Big Data Report emphasized the societal benefits of big data (e.g., improving the economy, education, health and energy efficiency), the working group found that “absent strong social norms and a responsive policy and legal framework,” personal privacy may be difficult to protect with technological advances alone.   To that end, the Big Data Report recommended 6 policy initiatives “deserving prompt action:”

  • Advance the Consumer Privacy Bill of Rights (“CPBR”), a framework that the White House first proposed in 2012 to give consumers greater control over the collection and use of their personal information by businesses and other organizations;
  • Pass National Data Breach Legislation, to provide a single national data breach standard;
  • Ensure Data Collected
... Continue Reading

Farewell, Federal Cybersecurity Incentives?

Posted in Cyber and National Security, Policy and Regulatory Positioning

Administration Takes Private Sector Incentives Off the Table, While Obama Calls for $14 Billion in FY 2016 Budget to Strengthen Government’s Cybersecurity Efforts

The White House’s Cybersecurity Coordinator Michael Daniel announced on Monday that the government will not offer incentives for private sector businesses to adopt the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. Instead, Mr. Daniel declared that the free hand of the market is the best means to encourage the private sector to adopt NIST’s voluntary cybersecurity measures to better guard against cyber risks. Mr. Daniel’s announcement came in response to suggestions made by the departments of Commerce, Treasury, and Homeland Security in 2013 on how to incentivize private companies to adopt the NIST Framework. While Mr. Daniel did give mention to some of these methods, he plainly stated that “we [in the Administration] believe that the market offers the most effective incentives for the private sector to adopt strong cybersecurity practices” and that “developing a government program to award a ‘seal of approval’ would likely reduce the flexible use of the Framework.”

Curiously, Mr. Daniel’s announcement came the same day that the White House also released President Barack Obama’s proposed Fiscal Year 2016 Budget... Continue Reading

Law360 Talks to Christopher Avery About New York’s Data Security Proposal

Posted in Data Protection, Policy and Regulatory Positioning

Last week we summarized the four must-know things regarding the New York Attorney General’s new data security proposal. Commentary still surrounds the proposal and has wide appeal. Christopher Avery offered the following insights to Law 360:

“The 47 state breach notification laws are reactive…But the New York proposal, instead of being reactive, is focusing on what are the things that companies can be doing in advance to eliminate the breaches that result in those notifications.”

“It would probably make the most sense for Congress to start by enacting a straightforward and sound national data breach notification law and then potentially come back and re-evaluate how effective that is and what data security standards are needed moving forward.”... Continue Reading

New FTC Report on IoT Maintains Need for Baseline Privacy Legislation and Begins to Recognize Limitations of FIPPS in a Connected World

Posted in Policy and Regulatory Positioning

The Federal Trade Commission released its long awaited staff report on privacy and security issues presented by the emerging market for connected devices, also known as, the Internet of Things (“IoT”) (the “Report”) this morning.  The report follows up on the Workshop held in November 2013 and defines the IoT as “devices or sensors – other than computers, smartphones, or tablets – that connect, store or transmit information with or between each other via the Internet.” The scope of the recommendations contained within the Report is limited to those devices sold to or used by consumers.  Although the Report builds on principles developed during the Workshop, it does not break new ground (other than to formally recognize the limits of notice, choice and data minimization practices in the IoT ecosystem).

Notably, the Report recognizes that “there is great potential for innovation in this area, and that IoT-specific legislation at this stage would be premature.”  However, the Report does re-iterate the need for a national data breach notification law and a baseline consumer privacy statute, as recently outlined by the President.  In the meantime, the Commission will rely on its existing authority under laws such as the FTC Act, the ... Continue Reading

Congress Funds Cybersecurity: Spending Bill Allocates over $1 Billion to Cybersecurity

Posted in Cyber and National Security, Policy and Regulatory Positioning

The final spending bill of the 113th Congress, which keeps the government doors open until September 30th of 2015, was passed by the House on December 11th, the Senate on the 13th, and signed by the President on December 16th. It is a $1.1 trillion omnibus spending bill that will direct well over $1 billion toward cybersecurity. Among other things, it will provide $675,500,000 for the National Institute of Standards and Technology (NIST) scientific and technical core programs, which includes $15,000,000 for the National Cybersecurity Center of Excellence, up to $60,700,000 for cybersecurity research and development, $4,000,000 for the National Initiative for Cybersecurity Education, and $16,500,000 for the National Strategy for Trusted Identities in Cyberspace. It also allocates funds to various other federal agencies specifically for cybersecurity, as well as to federal investigative agencies to combat cybercrime. Some of the funds are directed toward developing a more robust cybersecurity workforce, including $35 million to the General Services Administration (GSA) for construction of a “civilian cyber campus” that would house federal employees and contractors dedicated to the civilian cyber security mission. According to a GSA prospectus on the project, the goals of the ... Continue Reading

Congress Confirms NIST’s Role in Cybersecurity – and the Continuation of the Cybersecurity Framework

Posted in Cyber and National Security, Policy and Regulatory Positioning

The Cybersecurity Enhancement Act of 2014 (CEA) was passed by the House and the Senate on December 11th, and signed by the President on the 18th. The bill formalizes the role of the National Institute for Standards and Technology (NIST) in continuing to develop the voluntary Cybersecurity Framework. Through five “titles,” the bill includes provisions to promote cybersecurity research, private/public sector collaboration on cybersecurity, education and awareness and technical standards, which includes a federal cloud computing strategy.

Title I of the CEA, entitled “Public-Private Collaboration on Cybersecurity,” amends the NIST Act to permit the Secretary of Commerce, through the Director of NIST, to facilitate and support the development of a voluntary, industry-led set of standards and procedures to reduce cyber risks to critical infrastructure – this would be the Cybersecurity Framework. It requires the Director of NIST to coordinate continuously with, and incorporate the industry expertise of, relevant private sector personnel and entities, critical infrastructure owners and operators, sector coordinating councils, Information Sharing and Analysis Centers, and other relevant industry organizations.  It also requires the Director of NIST to consult with the heads of agencies with national security responsibilities, sector-specific agencies, state and local governments, governments ... Continue Reading

Congress Passes Cybersecurity Workforce Legislation

Posted in Cyber and National Security, Policy and Regulatory Positioning

The Border Patrol Agent Pay Reform Act of 2014 was passed by the Senate on September 18th, by the House on December 10th, and signed by the President on December 18th. It contains provisions from the Cybersecurity Workforce Recruitment and Retention Act of 2014, which allows the Secretary of the Department of Homeland Security (DHS) to establish cybersecurity positions within DHS to better meet its cybersecurity mission. Another piece of legislation, the Cybersecurity Workforce Assessment Act (CWAA), was passed by the Senate on December 10th, by the House on December 11th, and was also signed by the President on December 18th. It requires DHS to evaluate and enhance its cybersecurity workforce. It requires the Secretary of DHS, within 180 days of the enactment of the CWAA and then annually for the next three years, to assess the cybersecurity workforce of DHS. Among other things, the assessment is to include an evaluation of the readiness and capacity of the DHS workforce to meet its cybersecurity mission.

Comprehensive workforce strategy: The CWAA requires the Secretary of DHS, within one year of its enactment, to develop a comprehensive workforce strategy ... Continue Reading

Congress Passes The Federal Information Security Modernization Act of 2014: Bringing Federal Agency Information Security into the New Millennium

Posted in Cyber and National Security, Policy and Regulatory Positioning

The Federal Information Security Modernization Act of 2014 (FISMA) was passed by the Senate on December 8th, by the House on December 10th, and by the President on December 18th. It is a comprehensive bill intended to bring federal agency information security practices into the new millennium – to better respond to evolving cybersecurity threats. FISMA updates the Federal Information Security Management Act of 2002, and provides a comprehensive framework for ensuring the effectiveness of information security controls over federal information operations and assets. It recognizes the highly networked nature of current federal computing environments and the complex task of coordinating information security efforts throughout the civilian, law enforcement and national security communities. It also acknowledges that commercially developed information security products offer effective information security solutions, and that specific information security solutions should be left to individual agencies from among commercially developed products.

FISMA oversight: FISMA reestablishes the oversight authority of the Director of Office of Management and Budget (OMB) with respect to federal agency information security policies and practices. This includes the development and implementation of principles, standards and guidelines pertaining to information security within federal agencies, and coordinating the development of ... Continue Reading

Congress Passes the National Cybersecurity Protection Act: Codifies National Cybersecurity Center & Creates Federal Agency Data Breach Notification Law

Posted in Cyber and National Security, Policy and Regulatory Positioning

The National Cybersecurity Protection Act of 2014 (NCPA) was passed by the House on December 8th, by the Senate on December 10th, and signed by the President on December 18th. Senate Committee on Homeland Security and Governmental Affairs Chairman Tom Carper (D-Del.) issued the following statement regarding the NCPA: “Cybersecurity is one of the biggest national security challenges our country faces. Our laws should reflect that reality. By codifying the Department of Homeland Security’s existing cybersecurity operations center, the National Cybersecurity Protection Act of 2014 bolsters our nation’s cybersecurity while providing the department with clear authority to more effectively carry out its mission and partner with private and public entities. It is critical that the department continues to build strong relationships with businesses, state and local governments, and other entities across the country so that we can all be better prepared to stop cyber-attacks and quickly address those intrusions that do occur.”

Codification of the National Cybersecurity and Communications Integrity Center: The NCPA codifies the existing cybersecurity and communications operations center at DHS, known as the National Cybersecurity and Communications Integrity Center (NCCIC). The bill directs the NCCIC to provide a number of services, ... Continue Reading

Cybersecurity Legislation Focuses on Federal Government Initiatives – Leaves Private Sector Reforms for 2015

Posted in Cyber and National Security, Policy and Regulatory Positioning

One of the few things the parties in Congress can agree upon these days is cybersecurity – at least when it comes to directing the federal government’s cyber activities.  In its final days, the 113th Congress reached agreement on several major pieces of legislation intended to improve the nation’s cybersecurity: the National Cybersecurity Protection Act of 2014, the Federal Information Security Modernization Act of 2014, the Border Patrol Agent Pay Reform Act of 2014 (a bill that contains provisions from the Department of Homeland Security (DHS) Cybersecurity Workforce Recruitment and Retention Act of 2014), the Cybersecurity Workforce Assessment Act, and the Cybersecurity Enhancement Act of 2014. All of these were signed by the President on December 18th, and will be funded by a $1.1 trillion spending package signed by him on December 16th. In total, the bills update the federal government’s roles and responsibilities with respect to planning for and responding to cyber threats, helping them move into the 21st century with a trained workforce.  What is notably absent in this nicely wrapped package of bills, however, is any meaningful reforms for the private sector.

Subsequent posts will provide details ... Continue Reading

FCC Reaffirms Fax Ads Sent With Recipients’ Prior Permission Require Opt-Out Notice

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

But Grants Retroactive Waivers to Petitioners Who Sent Permission-Based Faxes Without Opt-Out Notices

The Federal Communications Commission has issued an Order sustaining its rule that even ads faxed with the permission of the recipient must include a notice with instructions for how to opt out of future faxes. The Order responds to a passel of petitions that argued the Telephone Consumer Protection Act’s (TCPA) “junk fax” provision and attendant opt-out requirement apply only to “unsolicited” fax advertisements, and thus do not cover faxes “solicited” by those who consent to receive the faxed ads.

However, while staunchly defending its statutory authority to adopt an opt-out notice rule for permission-based faxes, and that it was a logical outgrowth of its rulemaking notice, the FCC recognized that its order adopting the rule may have been confusing on this point. It accordingly granted retroactive waivers to petitioners with temporary relief from any past obligation to have opt-out notices on permission-based faxes. The waivers give petitioners who received them a six-month window to come into compliance with the opt-out requirement, and the FCC invited similarly situated parties to seek similar waivers, strongly suggesting that such requests must be on file within the next six months.... Continue Reading

Second Circuit Adopts FCC’s Narrow Construction of “Implied” Express Consent for Autodialed Calls to Cell Phones

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

This updates our report last summer on a Federal Communications Commission (FCC) letter brief filed at the invitation of the U.S. Court of Appeals for the Second Circuit in Nigro v. Mercantile Adjustment Bureau, which observed the FCC taking a noticeably less generous view of its then-recent declaratory rulings on whether consumer provision of a cell number is deemed consent to autodial it under the Telephone Consumer Protection Act (TCPA). We noted at that time that, “It would be a shame if, in the FCC’s view, calls in the course of ‘normal, expected and desired business communications’ are permissible only if no one objects after-the-fact.” The Second Circuit has now issued an opinion adopting the view in the FCC’s letter brief, holding that because Nigro did not provide his phone number directly to the creditor in the context of the debt incurred (in respect to which Mercantile called), the TCPA prohibited the calls.

To recap, when Nigro contacted his recently deceased mother-in-law’s electric utility to stop service, he gave them a cell number, which Mercantile later called using an automatic dialing system to collect a remaining balance on the mother-in-law’s account. Nigro sued on grounds the calls violated the ... Continue Reading

Chip-and-PIN is Coming…To the US Government

Posted in Data Protection, Policy and Regulatory Positioning

Last Friday, in the wake of numerous data breaches, President Obama signed a new Executive Order that will change how federal agencies use payment cards and allow access to certain government portals.  Those changes include the adoption of chip-and-PIN (also known as EMV) payment terminals and cards, and the implementation of multi-factor authentication on digital applications where consumers can access personal information.

The Executive Order requires the executive departments and agencies to deploy chip-and-PIN payment processing terminals at government offices “as soon as possible.”  Legacy payment processing terminals do not have to be replaced immediately but all new terminals purchased after Jan. 1, 2015 must include the necessary hardware to support the enhanced security features.  The Department of Treasury also has until the same deadline to develop a plan on how the agencies can install the associated software-components to support these security features.

More importantly, by Jan. 1, 2015, all Direct Express prepaid debit cards used to pay government benefits will include the embedded chip.  The Office of Management and Budget is also charged with developing plans to replace the cards issued by other federal agencies with payment cards that include the enhanced security features.  In a speech to the ... Continue Reading

Eleventh Circuit Reverses Refusal to Honor FCC’s TCPA Debt Collection Declaratory Ruling, Fosters Uniformity on TCPA’s Autodialing Exception

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

The U.S. Court of Appeals for the Eleventh Circuit has brought a bit of legal balance back to automated debt collection calls, and reminded lower courts that when it comes to claims under the Telephone Consumer Protection Act (TCPA), they must honor the validity of FCC rulings.

The Eleventh Circuit’s decision implicates a 2008 declaratory ruling by the FCC regarding automated debt collection calls under the TCPA.  The TCPA and FCC rules implementing it prohibit autodialed and/or prerecorded calls to cell phones, unless there is prior express consent from the call recipient.  The FCC’s Debt Collection Declaratory Ruling from early 2008 held that prior express consent exists where a consumer gives a company his/her cell phone number as part of a transaction, and the company later autodials/prerecorded-calls or texts the consumer in connection with a debt arising from that transaction.

In Mais v. Gulf Coast Collection Bureau, Mais alleged that defendants placed autodialed and/or prerecorded calls to his cellphone without consent, in violation of the TCPA.  The calls followed from Mais’ emergency room treatment, during which his wife completed hospital admission documents and provided her husband’s cellphone number and other information.  Defendants maintained before the U.S. District Court for ... Continue Reading

In Flight Catalog: Senator Rockefeller Opens Inquiry Into Consumer Data Practices by Airlines

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

Last week, Senator Jay Rockefeller (D-W.Va.) sent a letter to the top ten revenue generating passenger airlines in the United States, opening an inquiry into their practices related to charging additional fees for optional services and the collection of consumer data. With respect to consumer data, Sen. Rockefeller’s letter calls for greater transparency from airlines about how they collect, use, and disclose the personal information of consumers, citing concerns by consumer advocates that “airline policies can contain substantial caveats” and that “it is difficult for consumers to learn what information airlines and others in the travel sector are collecting, keeping, and sharing about them.” To assist the Senate Committee on Commerce, Science, & Transportation (“Committee”) in evaluating these concerns, Sen. Rockefeller has asked the airlines to provide the following information:

Do you retain personal information that your company obtains from consumers when they shop for airfares or from other sources? If yes:

a.  State the period of time your company retains such information and what specific data points you retain;

b.  State any specific sources for personal information or other such information your company obtains directly from consumers;

c.  Describe the privacy and security protections your company provides for personal ... Continue Reading

Consumer Privacy Legislation? All Sides Weigh In But Remain Far Apart in the Big Debate Over Big Data

Posted in Data Protection, Marketing and Consumer Privacy, Policy and Regulatory Positioning

Recent comments filed by various stakeholders in response to the U.S. Commerce Department’s National Telecommunications and Information Administration’s (NTIA) Request for Public Comment (RFC) on “Big Data and Consumer Privacy in the Internet Economy,” evidence a wide rift between consumer groups and most business interests regarding the need for additional consumer privacy law in the era of Big Data. NTIA issued its RFC back in June, in response to a recommendation in the May 1 White House report, “Big Data: Seizing Opportunities, Preserving Values” (hereinafter “Big Data Report”), which addressed how big data is transforming the lives of Americans.

In the Big Data Report, the White House recommended (among other things) that:

[t]he Department of Commerce should promptly seek public comment on how the Consumer Privacy Bill of Rights (“CPBR”) could support the innovations of big data while at the same time responding to its risks, and how a responsible use framework . . . could be embraced within the framework established by the [CPRB”]. Following the comment process, the Department of Commerce should work on draft legislative text for consideration by stakeholders and submission by the President to Congress.

The Consumer Privacy Bill of Rights and Big ... Continue Reading

FTC Undertakes Periodic Rule Review of Telemarketing Sales Rule

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

The Federal Trade Commission (FTC) has published in the Federal Register a Request for Comments on all aspects of its Telemarketing Sales Rule (TSR) as part of a routine review of the effectiveness, costs and benefits of its rules. Though the Request for Comments targets several TSR issues in particular (discussed below), it views the review as assessing generally whether the Rule is serving a “useful purpose,” and whether it can be improved to reflect changes in the marketplace since it was previously amended in 2003, 2008 and 2010. Comments are due October 14, 2014.

The Request for Comments does not itself propose specific changes to the TSR but rather invites input on several specific topics, as well as on any issues relevant to the TSR that commenters wish to address. Notably, the advent of the National Do-Not-Call Registry culminating in 2003 started as precisely this kind of “routine” review of the TSR. Here, the FTC specifically seeks comment on issues surrounding:

• Whether there is a need to expand the TSR’s recordkeeping requirements;

• The use of pre-acquired account information, i.e., that which a customer has previously provided to a seller or telemarketer to subsequently charge his or her ... Continue Reading

Pass or Fail? Sens. Markey and Hatch Introduce “Protecting Student Privacy Act” Seeking to Amend FERPA, Increase Protection of Student PII Shared with Private Companies

Posted in Data Protection, Policy and Regulatory Positioning

On July 30, 2014, Sen. Edward J. Markey, D-Mass., made good on his earlier promise to beef up the Family Educational Rights and Privacy Act of 1974 (FERPA) to provide heightened protections for student educational records shared with private companies.

Together with Sen. Orrin Hatch, R-Utah, Markey introduced the “Protecting Student Privacy Act” (S.2690), which would amend FERPA and require schools and school districts to implement various data security protections to safeguard the personally identifiable information (PII) contained in students’ education records, and ties receipt of federal education funding to compliance with the Act’s heightened security standards.

Among the bill’s provisions, the Protecting Student Privacy Act:

  • Requires schools and school districts to protect students’ personally identifiable information (PII) contained in education records maintained by the institution;
  • Prohibits schools and school districts from using, releasing, or providing access to student PII in education records for advertising or marketing services or products;
  • Provides parents with a right to access their children’s PII and challenge, correct, or delete any inaccurate data in the education records held by private companies;
  • Mandates that outside parties such as private companies with whom students’ PII is shared have comprehensive information security policies and procedures in place to
... Continue Reading