David M. Brown

Subscribe to all posts by David M. Brown

Massachusetts Enacts Significant Changes to Its Data Breach Notification Law

By David M. Brown on Posted in Breach Notification, Data Breach Notification Laws, State Legislation
On Jan. 10, 2019, Massachusetts Gov. Charlie Baker signed legislation that will significantly amend the state’s data breach notification law. The amendments become effective on April 11, 2019. One of the significant changes includes a new requirement to provide an offer of complimentary credit monitoring for “a period of not less than 18 months” when … Continue Reading

New Guidance on GDPR Data Processing Contracts Published by the UK ICO

By David M. Brown on Posted in GDPR
The U.K. Information Commissioner’s Office (ICO) recently published guidance on contracts between controllers and processors. This new guidance provides a more in-depth and detailed discussion of the key issues than did a previously released primer published by the ICO, which set out key points along with helpful checklists. The new guidance discusses (1) when a … Continue Reading

Cookies and Consent Under the EU GDPR

By David M. Brown on Posted in Enforcement, GDPR, Online Privacy
According to a recent story published by The Register, the U.K. data privacy watchdog, the Information Commissioner’s Office (ICO) has issued a warning to the U.S.-based newspaper The Washington Post (WaPo) about obtaining consent under the EU General Data Protection Regulation (GDPR) and allowing its readers to switch off tracking and cookies. Article 6(1) of … Continue Reading

EU-U.S. Privacy Shield Framework Joint Annual Review 2.0

By David M. Brown on Posted in Enforcement, International Privacy Law
As we previously reported here, the Federal Trade Commission (FTC) announced several enforcement actions in late 2017, on the eve of the first annual joint EU-U.S. review of the Privacy Shield Framework. Now the second annual review of the EU-U.S. Privacy Shield Framework is underway, and the FTC has announced several new enforcement actions, which … Continue Reading

Colorado Enacts Sweeping Changes to Data Breach Reporting Requirements and Adds New Data Security Requirements

By David M. Brown on Posted in Data Breach Notification Laws, State Legislation
Colorado’s Gov. John Hickenlooper signed a bill that significantly strengthens its current data breach notification requirements and adds new measures designed to enhance protections for consumer data privacy. The new law will go into effect on Sept. 1, 2018. Disposal of personal identifying information As previously discussed here (while the bill was in committee), HB18-1128 … Continue Reading

A New Tax Season, but the Same W-2 Spear Phishing Scam

By David Kitchen and David M. Brown on Posted in Phishing
According to the IRS, the IRS saw the number of businesses, public schools, universities, tribal governments and nonprofits victimized by W-2 scams increase to 200 in 2017 from 50 in 2016. Those 200 victims translated into several hundred thousand employees whose sensitive data was stolen. In some cases, the criminals requested both the W-2 information … Continue Reading

Delaware Revamps Its State Data Breach Notification Statute

By David M. Brown on Posted in Data Breach Notification Laws, State Legislation
On Aug. 17, 2017, Delaware revamped its existing data breach notification statute. In doing so, Delaware became the second state (joining Connecticut) to mandate offering individuals affected by a breach of security involving Social Security numbers at least one year of complimentary credit monitoring services. The new law takes effect on April 14, 2018, and … Continue Reading

IoT Device Maker Settles Class Claims for $3.75 Million

By David M. Brown on Posted in Big Data, Internet of Things, Mobile Privacy, Privacy Class Actions, Retail Industry
In one of the first Internet of Things (IoT) class action settlements, the maker of a Bluetooth-enabled personal vibrator agreed to settle privacy class claims for $3.75 million. The We-Vibe product allows a user to connect the product to a smartphone. The user can then control the device from the phone via Bluetooth connection. The … Continue Reading

FINRA Seeks Comment on Blockchain

By David M. Brown on Posted in Financial Privacy
On Jan. 18, 2017, the Financial Industry Regulatory Authority (FINRA) became the latest organization to weigh in on distributed ledger technology (DLT), also known as blockchain. Recognizing the growing interest and potential benefits surrounding the implementation of DLT, FINRA published a report examining the impact of blockchain on the financial services industry. Blockchain is essentially … Continue Reading

Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity

By David M. Brown on Posted in Cybersecurity, Data Breaches, Enforcement, Online Privacy, Retail Industry
On Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information. According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an … Continue Reading

Unanimous FTC Finds LabMD’s Data Security Practices Violated Section 5 of the FTC Act

By Will R. Daugherty and David M. Brown on Posted in Cybersecurity, Enforcement, Medical Privacy, Online Privacy
On July 29, 2016, a unanimous Federal Trade Commission (“FTC” or “Commission”) issued its Opinion and Final Order reversing the decision of an administrative law judge (“ALJ”) and holding that LabMD engaged in “unfair” practices in violation of Section 5 of the FTC Act because it failed to provide reasonable and appropriate security for personal … Continue Reading

Illinois Enacts Sweeping Changes to the Illinois Personal Information Protection Act

By David M. Brown on Posted in Cybersecurity
On May 6, 2016, Illinois joined a growing number of states that have strengthened their data breach notification requirements and expanded the definition of protected personal information. Effective January 1, 2017, HB1260 amends the Illinois Personal Information Protection Act (PIPA) to broaden the definition of protected personal information, which will now include an individual’s first … Continue Reading

Tennessee Revamps Its State Data Breach Notification Statute

By David M. Brown on Posted in Data Breach Notification Laws
Tennessee amended its data breach notification statute to potentially require notification of a data breach to affected individuals regardless of whether the personal information involved in the security incident was encrypted. On July 1, Tennessee becomes the first state to remove its encryption safe harbor; there is still an ability to perform a risk analysis … Continue Reading

ALJ Issues Sweeping Decision Dismissing FTC’s Action Against LabMD

Photo of Lynn SessionsBy Lynn Sessions and David M. Brown on Posted in Medical Privacy, Online Privacy
On November 13, 2015, the chief administrative law judge (“ALJ”) handling the Federal Trade Commission’s (“FTC” or “Commission”) complaint against LabMD Inc. (“LabMD”) dismissed the case in its entirety. As we previously reported, following two data security incidents involving the disclosure of personal information, the FTC brought an action against LabMD, a clinical testing laboratory, … Continue Reading

Trans-Pacific Partnership Would Promote Cross-Border Data Transfers and Restrict Data Localization

By David M. Brown on Posted in International Privacy Law
As U.S. and European regulators and businesses work toward solutions in the wake of last month’s decision by the Court of Justice of the European Union that invalidated the EU-U.S. Safe Harbor framework for cross-border data transfers – previously discussed here and here – the Trans-Pacific Partnership (TPP) trade agreement seeks to facilitate cross-border data … Continue Reading
LexBlog