Archives: Retail Industry

California Legislative Effort to Avert Privacy Ballot Initiative a Race Against the Clock

On Thursday, June 22, 2018, a previously dead California Assembly bill, AB 375, was revised as a proposed alternative to the ballot initiative known as the California Consumer Privacy Act of 2018 (CCPA),[1] which is expected to be on the November ballot. It was read a third time and amended on June 25 and re-referred to … Continue Reading

California Legislature Working Feverishly To Avert Privacy Ballot Initiative

By Alan L. Friel on June 22, 2018 Posted in Advertising, Behavioral Advertising, Online Privacy, Retail Industry, State Legislation

We have previously reported a ballot initiative known as the California Consumer Privacy Act of 2018 (“CCPA”), that is expected to be on the November ballot. If passed, it would make sweeping changes to consumer privacy protection rights for Californians, likely creating a new national standard. On June 21st, the California Assembly amended AB- 375, … Continue Reading

Washington State Passes Legislation Governing the Use of Biometric Information

By Melinda L. McLellan and Robyn M. Feldstein on June 8, 2017 Posted in Privacy Litigation, Retail Industry, State Legislation

Effective July 23, 2017, Washington will join Illinois and Texas as the third U.S. state to impose statutory restrictions on how businesses collect, use, disclose and retain biometric information. House Bill 1493 applies to entities that “enroll a biometric identifier in a database for a commercial purpose” and includes requirements to provide notice to individuals … Continue Reading

IoT Device Maker Settles Class Claims for $3.75 Million

By David M. Brown on April 7, 2017 Posted in Big Data, Internet of Things, Mobile Privacy, Privacy Class Actions, Retail Industry

In one of the first Internet of Things (IoT) class action settlements, the maker of a Bluetooth-enabled personal vibrator agreed to settle privacy class claims for $3.75 million. The We-Vibe product allows a user to connect the product to a smartphone. The user can then control the device from the phone via Bluetooth connection. The … Continue Reading

Unexpected Consumer Data Collection Concerns FTC

By Alan L. Friel and Benjamin Barnes on March 15, 2017 Posted in Behavioral Advertising, Big Data, Geolocation, Marketing, Mobile Privacy, Retail Industry

The Federal Trade Commission (FTC) has been turning its attention to consumer data collection and use that consumers may not expect, such as tracking of TV viewing by smart TVs, and use of cross-device technologies and techniques to try to associate users and households to multiple devices (e.g., TVs, mobile phones, tablets, computers, and other … Continue Reading

Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity

By David M. Brown on August 24, 2016 Posted in Cybersecurity, Data Breaches, Enforcement, Online Privacy, Retail Industry

On Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information. According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an … Continue Reading

New PCI Guidance Provides Businesses With Security Incident Response Assistance

By Kathryn Mellinger on October 8, 2015 Posted in Data Breaches, Payment Card Industry, Retail Industry

A security event involving payment card data, especially card present data, can be one of the most costly events a company may face. Not only did a recent study report the average total cost of a data breach as $3.8 million, large payment card incidents such as those that occurred at Target and Home Depot … Continue Reading

2015 BakerHostetler Security Incident Response Report Provides Insight Beyond Technical Incidents

By Craig A. Hoffman on August 27, 2015 Posted in Cybersecurity, Data Breaches, HIPAA/HITECH, Incident Response, Information Security, Infrastructure, Retail Industry

There is no longer a debate – security incidents are inevitable. Organizations are working to be better prepared to respond when the first sign of an incident is detected (often at 4:30 p.m. on a Friday). So what kind of incidents should they prepare for and how should they prepare? Annual reports from forensic investigation … Continue Reading

EMV Liability Shift Update – What Liability Actually Shifts?

By Craig A. Hoffman on August 20, 2015 Posted in Retail Industry

With the October 1, 2015 liability shift deadline looming, merchants who have not yet made the change continue to evaluate the cost of accepting EMV cards versus the liability that will shift from the issuer to the merchant if they do not. The costs of implementation are fairly straightforward—buy EMV-enabled terminals and work with the … Continue Reading

FCC’s New TCPA Order May Require Companies to Obtain Updated Consents for Marketing Calls and Texts

By Tanya Forsheit, Alan L. Friel and Melinda L. McLellan on July 22, 2015 Posted in Enforcement, Marketing, Mobile Privacy, Privacy Class Actions, Retail Industry

Last week we published an overview of key issues raised by the Federal Communications Commission’s July 10, 2015, Declaratory Ruling and Order regarding the Telephone Consumer Protection Act (the “July 2015 Order”). The July 2015 Order responded to 21 requests for clarification concerning previous rules and orders the FCC has issued pursuant to the TCPA, … Continue Reading

“Don’t Call Us, We’ll Call You.” The FCC’s Latest TCPA Ruling Imposes Even More Restrictions on Telemarketing Calls and Texts

By Tanya Forsheit and Melinda L. McLellan on July 15, 2015 Posted in Enforcement, Marketing, Mobile Privacy, Privacy Class Actions, Retail Industry

On July 10, 2015, the Federal Communications Commission released the Omnibus Declaratory Ruling and Order (the Order) it adopted on June 18. The Order addresses requests for clarification regarding requirements under the Telephone Consumer Protection Act (TCPA) and previous rules and orders issued by the Commission. The Order, which took effect immediately upon release, is … Continue Reading

FTC Clarifies Native and Online Ad Obligations

By Alan L. Friel and Fernando A. Bohorquez, Jr. on June 17, 2015 Posted in Marketing, Retail Industry, Social Media

The FTC, in recent staff statements, has sought to clarify advertisers’ and publishers’ obligations regarding native advertising and social media promotions, particularly regarding when and how to clarify to readers that a message is promotional and that the speaker has a material connection to the brand mentioned in the content. Further, the FTC has announced … Continue Reading

2015 BakerHostetler Incident Response Report Deeper Dive—Retailer Liability Arising from Stolen Payment Cards

By Craig A. Hoffman on May 12, 2015 Posted in Data Breaches, Incident Response, Retail Industry

We released the inaugural BakerHostetler Data Security Incident Response Report, which provides insights generated from the review of more than 200 incidents that our attorneys advised on in 2014. Over the next four weeks, we will post several blogs that will provide a more in-depth look at certain findings. In this post, we cover one … Continue Reading

Ruling Gives New Life to Bank Claims Against Breached Retailers in Target Case

By Craig A. Hoffman on December 3, 2014 Posted in Retail Industry

One common occurrence after the disclosure by a retailer of a breach affecting card present payment card data used to be the filing of claims by banks that issued payment cards affected by the incident. The banks bringing the claims were usually smaller banks seeking to recover the costs of reissuing new cards and counterfeit … Continue Reading

California Attorney General Releases 2014 Data Breach Report and Recommendations, Finding More of the Same.

By Tanya Forsheit on October 29, 2014 Posted in Breach Notification, Data Breaches, Identity Theft, Retail Industry

Editor’s Note: The author thanks Jaysen Borja for his contributions to this post. On October 28, 2014, Attorney General Kamala Harris released the second annual California Data Breach Report. The report detailed the nature and scope of data breach notifications that her office received in 2013. Her office has been analyzing notifications of data breaches … Continue Reading

Why Worry About a Little Skimmer?

By Craig A. Hoffman on September 17, 2014 Posted in Retail Industry

Merchants—rightfully so—are worried about securing their payment card environments so that their name does not appear in a headline discussing how millions of cards were stolen from them. Faced with the challenge of evaluating the use of P2PE and tokenization, the conversion necessary to prepare for the October 2015 EMV liability shift, reading the tea … Continue Reading

Secret Service Raises Warning About Backoff POS Malware

By Craig A. Hoffman on August 25, 2014 Posted in Information Security, Online Privacy, Retail Industry

The Secret Service, which investigates financial crimes, issued a security Alert on July 31, 2014, warning of malware named “Backoff” that was being used to steal payment card data from point-of-sale (POS) systems. The Alert notes that the attackers often gain initial network access by stealing or brute-forcing the passwords for remote desktop applications (e.g., … Continue Reading