Melinda L. McLellan

Subscribe to all posts by Melinda L. McLellan

SEC Cybersecurity Risk Alert Emphasizes Proactive Compliance and Ongoing Vigilance

Photo of Jonathan A. FormanPhoto of Melinda L. McLellanBy Jonathan A. Forman and Melinda L. McLellan on Posted in Cybersecurity
On August 7, 2017, the Securities and Exchange Commission (SEC) released its latest cybersecurity risk alert, detailing findings from the examination of 75 broker-dealers, investment advisers and investment companies carried out by its Office of Compliance Inspections and Examinations (OCIE) pursuant to its 2015 cybersecurity examination initiative. In contrast with the previous round of examinations, … Continue Reading

Nevada Enacts Online Privacy Policy Law; Illinois ‘Right to Know’ Bill Carried Over

Photo of Melinda L. McLellanBy David Kitchen, Alan L. Friel and Melinda L. McLellan on Posted in Enforcement, Online Privacy, State Legislation
Nevada recently became the latest state to pass a law requiring operators of websites and online services to post a public notice regarding their privacy practices. California was the first state to pass such a law in 2004, and Delaware enacted a similar law effective January 1, 2016.  Similar to its predecessors, the new Nevada … Continue Reading

New York DFS Updates FAQs to Clarify Applicability of Cybersecurity Regulation

Photo of Melinda L. McLellanPhoto of Jonathan A. FormanBy Melinda L. McLellan and Jonathan A. Forman on Posted in Financial Privacy, State Legislation
With the first compliance deadline now less than two months away, the New York Department of Financial Services (NYDFS) has provided additional clarity concerning its new Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Regulation”) by publishing an update to previously issued Frequently Asked Questions. We reported on the forthcoming Cybersecurity Regulation in January and … Continue Reading

Washington State Passes Legislation Governing the Use of Biometric Information

Photo of Melinda L. McLellanPhoto of Robyn M. FeldsteinBy Melinda L. McLellan and Robyn M. Feldstein on Posted in Privacy Litigation, Retail Industry, State Legislation
Effective July 23, 2017, Washington will join Illinois and Texas as the third U.S. state to impose statutory restrictions on how businesses collect, use, disclose and retain biometric information. House Bill 1493 applies to entities that “enroll a biometric identifier in a database for a commercial purpose” and includes requirements to provide notice to individuals … Continue Reading

Deeper Dive: Ransomware – WannaCry and the Future of Ransomware-as-a-Service

Photo of Melinda L. McLellanPhoto of James A. ShererBy Melinda L. McLellan and James A. Sherer on Posted in Cybersecurity, Data Breaches, Incident Response, Ransomware
In our 2017 BakerHostetler Data Security Incident Response Report, we addressed the increasingly ubiquitous scourge of ransomware, one of the fastest-growing types of malware causing data security incidents. We noted that ransomware attacks have been steadily expanding in both frequency and severity, and that those trends seemed set to continue for the foreseeable future. Less than a … Continue Reading

Deeper Dive: Security Incident Notification Under the New EU General Data Protection Regulation (GDPR)

Photo of Melinda L. McLellanPhoto of James A. ShererBy Melinda L. McLellan, James A. Sherer and Emily R. Fedeles on Posted in Cybersecurity, Data Breaches, Enforcement, International Privacy Law
As noted in the 2017 BakerHostetler Data Security Incident Response Report, the enactment of the EU General Data Protection Regulation (GDPR) represents the most significant change in European data protection law in more than 20 years. Coming into effect on May 25, 2018, the GDPR focuses on a number of core data protection principles and … Continue Reading

Massachusetts AG Settlement Bars Geofencing Near Medical Facilities

Photo of Melinda L. McLellanPhoto of Stephanie LucasBy Melinda L. McLellan and Stephanie Lucas on Posted in Behavioral Advertising, Geolocation, Marketing, Medical Privacy, Mobile Privacy, State Legislation
On April 4, 2017, the Massachusetts Attorney General’s office announced that it had settled with a digital advertiser following allegations the company was using geolocation technology to target ads to women visiting reproductive health facilities. Although the company denied that it geofenced clinics in Massachusetts, the AG indicated that such targeting would violate the Massachusetts … Continue Reading

Colorado Proposes Cybersecurity Requirements for Investment Advisers and Broker-Dealers

Photo of Melinda L. McLellanPhoto of Jonathan A. FormanBy Melinda L. McLellan and Jonathan A. Forman on Posted in Cybersecurity, Financial Privacy, Information Security
On March 27, 2017, the Colorado Department of Regulatory Agencies proposed changes to the Colorado Securities Act that would impose new cybersecurity requirements on investment advisers and broker-dealers (the “Proposed Rule”). Among other obligations, the Proposed Rule would require these entities to include cybersecurity as part of their risk assessments, and establish and maintain written … Continue Reading

FTC Nets $500,000 Settlement for Alleged Consent Order Violation Related to Online Data Collection Practices

Photo of Melinda L. McLellanBy Melinda L. McLellan and Kathryn Mellinger on Posted in Big Data, Enforcement, Online Privacy
On March 17, 2017, the Federal Trade Commission (FTC) announced that it had reached a $500,000 settlement with Upromise, a membership reward service aimed at families saving for college. The FTC had alleged that Upromise violated a 2012 FTC consent order by failing to make required disclosures about its data collection and use practices and … Continue Reading

Australia’s New Breach Notification Law Set to Take Effect February 2018

Photo of Melinda L. McLellanBy Melinda L. McLellan and Emily R. Fedeles on Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, International Privacy Law
On February 13, 2017, the Australian Senate passed a bill establishing a mandatory requirement to notify the Privacy Commissioner and affected individuals of “eligible” data breaches. The Privacy Amendment (Notifiable Data Breaches) Act 2016, which was passed by the House of Representatives the previous week, amends Australia’s Privacy Act 1988 and is slated to take … Continue Reading

FTC’s $2.2m Smart TV Settlement Signals Continued IoT Enforcement Focus

Photo of Melinda L. McLellanBy Alan L. Friel and Melinda L. McLellan on Posted in Behavioral Advertising, Big Data, Enforcement, Information Security, Internet of Things, Marketing, Online Privacy
On February 6, 2017, the Federal Trade Commission announced that it had settled charges against VIZIO, Inc., a consumer electronics manufacturer of Internet-connected televisions. The FTC alleged that VIZIO unfairly tracked sensitive TV viewing data of millions of American consumers, and deceptively failed to disclose how the collected data was being used. This action was … Continue Reading

Finalized New York Department of Financial Services Cybersecurity Regulation to Take Effect March 1

Photo of Melinda L. McLellanPhoto of Jonathan A. FormanBy Melinda L. McLellan and Jonathan A. Forman on Posted in Cybersecurity, Enforcement, Financial Privacy, Information Security
On February 16, 2017, the New York Department of Financial Services (NYDFS) announced the release of its finalized Cybersecurity Requirements for Financial Services Companies (“Cybersecurity Regulation”), which will take effect on March 1, 2017. This final iteration, issued following an additional 30-day comment period, is in large part the same as the revised version dated … Continue Reading

Swiss-U.S. Privacy Shield Framework to Launch April 12

Photo of Melinda L. McLellanBy Melinda L. McLellan and Emily R. Fedeles on Posted in International Privacy Law
On January 11, 2017, the U.S. Department of Commerce, the Swiss Federal Council and the Swiss Federal Data Protection and Information Commissioner (FDPIC) issued press releases announcing that an agreement has been reached on a new cross-border data transfer mechanism, the Swiss-U.S. Privacy Shield Framework (the Swiss Privacy Shield). The Swiss Privacy Shield replaces its … Continue Reading

FTC Goes After IoT Device Manufacturer for Alleged Security Vulnerabilities in Routers, IP Cameras

Photo of Melinda L. McLellanBy Melinda L. McLellan and Kathryn Mellinger on Posted in Enforcement, Internet of Things
On January 6, the Federal Trade Commission (FTC) announced that it had filed a complaint against Taiwanese D-Link Corp. and its U.S. subsidiary, D-Link Systems Inc. (D-Link), alleging the company made deceptive claims about the security of its products and engaged in unfair practices that put U.S. consumers’ privacy at risk. The case is noteworthy for … Continue Reading

New York Department of Financial Services Issues Revised Cybersecurity Regulations

Photo of Melinda L. McLellanPhoto of Jonathan A. FormanBy Melinda L. McLellan and Jonathan A. Forman on Posted in Cybersecurity, Enforcement, Financial Privacy
With the clock ticking down to the new year, on December 28, 2016, the New York State Department of Financial Services (NYDFS) released highly anticipated revisions to its proposed Cybersecurity Requirements for Financial Services Companies (the “Proposal”). As we previously reported, the NYDFS first announced the proposed regulations in September; at that time, they were … Continue Reading

FTC Settles with Ad Tech Company Over Deceptive Online Tracking Practices

Photo of Melinda L. McLellanPhoto of Robyn M. FeldsteinBy Melinda L. McLellan and Robyn M. Feldstein on Posted in Behavioral Advertising, Enforcement, Marketing, Mobile Privacy, Online Privacy
On December 20, 2016, the Federal Trade Commission (FTC) announced that Turn Inc. agreed to settle charges that it misled consumers about its online tracking activities and failed to honor consumer opt-outs as described in its privacy policy. Background Turn is a digital advertising company that facilitates targeted marketing by commercial brands and ad agencies … Continue Reading

Privacy Rights Group Files First Legal Challenge to EU-U.S. Privacy Shield

Photo of Melinda L. McLellanBy Melinda L. McLellan and Emily R. Fedeles on Posted in International Privacy Law
Digital Rights Ireland, an Irish privacy advocacy group, has filed the first legal challenge to the EU-U.S. Privacy Shield, the Trans-Atlantic agreement reached earlier this year to permit the lawful transfer of personal data from the European Union to the United States. The Privacy Shield was formally adopted on July 12, 2016, by the European … Continue Reading

Privacy Shield Developments and UK Data Transfers Post-Brexit

Photo of Melinda L. McLellanBy Melinda L. McLellan and Jenna N. Felz on Posted in International Privacy Law
With the UK’s Brexit referendum dominating the news out of Europe over the past week, it may have been easy to miss a key development in the continuing Privacy Shield negotiations. On Friday, June 24, news outlets reported that U.S. regulators and the European Commission had agreed on a finalized version from the Privacy Shield, a proposed … Continue Reading

German Data Protection Authority Issues Fines for Unlawful Cross-Atlantic Data Transfers

Photo of Melinda L. McLellanBy Jenna N. Felz, Melinda L. McLellan and Alexandra Beierlein on Posted in Enforcement, International Privacy Law
The Data Protection Authority of Hamburg, Germany has made good on its promise to audit cross-Atlantic data transfers in the wake of the October 2015 Safe Harbor decision.  On June 6, the Hamburg DPA announced that it had fined three companies for unlawful transfers of personal data from the EU to the United States.  According … Continue Reading

Companies Face Uncertainty as Privacy Shield Encounters New Hurdles

Photo of Melinda L. McLellanBy Melinda L. McLellan and Jenna N. Felz on Posted in International Privacy Law
The Privacy Shield, proposed this past February and greeted with cautious optimism by European and U.S. regulators alike as a more robust “replacement” for the invalidated Safe Harbor framework, appears to be suffering death by a thousand paper cuts. Today’s European Parliament resolution (the “Resolution”) delivered the latest blow. The Resolution recommends that the European … Continue Reading

Privacy Shield Update: A Recap of Recent Developments

Photo of Melinda L. McLellanBy Melinda L. McLellan and Jenna N. Felz on Posted in International Privacy Law
On April 13, 2016, the Article 29 Working Party (WP29), an influential group of European data protection authorities, issued a non-binding opinion that criticized certain elements of the fledgling Privacy Shield framework. Although the Privacy Shield remains in limbo at this time, a flurry of speculation and Shield-adjacent legal maneuvers have colored the landscape and … Continue Reading

New Take on Old Phishing Scam Wreaking Havoc on HR Departments

Photo of Kevin WallacePhoto of Melinda L. McLellanBy Kevin Wallace and Melinda L. McLellan on Posted in Cybersecurity
From would-be Nigerian princes to foreign lottery officials, cybercriminals have been known to assume all sorts of false identities to carry out email phishing scams that trick unsuspecting consumers into clicking on fraudulent links or divulging personal information to strangers. We often see a spike in this type of activity around tax season, when fraudsters … Continue Reading

Safe Harbor Is Dead, Long Live Standard Contractual Clauses?

Photo of Melinda L. McLellanBy Melinda L. McLellan and William W. Hellmuth on Posted in Enforcement, International Privacy Law
For the past 15 years, the EU-U.S. Safe Harbor Framework has been one of the most popular data transfer mechanisms for organizations that engage in cross-border transfers of EU personal data to the United States. In the aftermath of the recent invalidation of the Safe Harbor Framework by the Court of Justice of the European … Continue Reading
LexBlog