Alabama Law Increases Cybersecurity Requirements for Insurance Entities
By Kacey Jennings, Villanova University Charles Widger School of Law
New Alabama law, S.B. 54, requires entities licensed by the Alabama Department of Insurance to develop and implement cybersecurity programs, and subjects those companies to civil penalties for noncompliance. Companies must maintain written information security programs including an incident response plan, and they must notify the Commissioner of Insurance of cybersecurity incidents no later than three business days after the determination the incident occurred. Businesses that have fewer than twenty-five employees, gross less than $5 million annually, or can provide a statement proving they are HIPAA compliant are exempt from this new law. This law is significant because it protects nonpublic personal information that could be used to identify consumers. Businesses in Alabama should review their policies to ensure they are compliant with this heightened standard, which goes into effect May 1, 2020.
Oregon and California Enact “Internet of Things” Laws to Protect Consumer Data
By Chelsea Ryan, Tulane University School of Law
Oregon, looking to keep companies accountable for consumers’ security, recently passed an “Internet of Things” bill. HB 2395, which is effective January 1, 2020, specifically requires unique passwords for each device and for users to create their own unique passwords when accessing the device. Similarly, in August 2018, California became the first state to pass a law covering smart devices. Beginning January 1, 2020, SB-327 will take into effect. The bill requires any device, which either directly or indirectly connects to the internet, be equipped with security measures that protect against hackers and information leaks. It also includes an extra measure requiring specific passwords for the devices themselves, instead of just the WiFi.
Location, Location, Location: Warrantless Search of Car’s GPS Data Violates Fourth Amendment
By William R. Zwicharowski, Villanova University Charles Widger School of Law
The U.S. District Court for the Northern District of Illinois, Eastern District, has held that law enforcement must obtain a warrant before accessing an individual’s GPS data, even if the data is obtained from a third party. In United States v. Diggs, No. 18 CR 185-1, (N.D. Ill. May 13, 2019), law enforcement agents, without first obtaining a warrant, accessed over a month’s worth of data, collected by a third party, that detailed the location of the defendant’s car in an effort to prove the defendant’s involvement in a robbery. The court found that such an act violated the Fourth Amendment because it violated a person’s “reasonable expectation of privacy in the whole of their physical movements,” a right recognized in United States v. Jones, 565 U.S. 400 (2012), and articulated in Carpenter v. United States, 138 S. Ct. 2206, 2217 (2018). This right was not thwarted by the third party doctrine, because the court found, consistent with Carpenter, that the fact that the information was obtained from a third party was outweighed by the “privacy concerns implicated by the ‘detailed and comprehensive record of [Digg’s] movements’” captured by the car’s GPS tracker. Further, the good-faith exception to the exclusionary rule did not apply because the court found that no binding case law in the jurisdiction authorized such a warrantless search of GPS data, and thus, no reasonable officer could have conducted the search in reliance on such precedent. Finally, the court held that even if binding precedent existed, the search would still not fall under the good-faith exception because the defendant authorized the third party data collector to use his location only to find the vehicle, rather than continuously track the vehicle, and therefore, the tracking fell beyond the scope of the authorization.
Delaware Chancery Court Orders Facebook to Produce Data Protection Documents
By Lauren Dunkle Fortunato, Young Conaway Stargatt & Taylor, LLP
The Delaware Court of Chancery recently ordered Facebook, Inc., to produce board-level emails in response to a demand under Section 220 of the Delaware General Corporation Law. In re Facebook, Inc. Section 220 Litig., Consol. Case No. 2018-0661-JRS (Del. Ch. May 31, 2019). Brought in the aftermath of the Cambridge Analytica data privacy scandal, where Facebook users’ personal information was improperly sold and used, the Section 220 demand sought to investigate a claim that directors had failed to oversee Facebook’s affirmative data protection obligations under a 2011 Consent Decree with the Federal Trade Commission.
The Facebook decision is likely not an indication that future Section 220 plaintiffs will have unrestricted access to board emails. Like previous opinions ordering the production of emails or text messages, there were special circumstances at play. First, based on an earlier production by Facebook, there were no usable board minutes—any board minutes containing potentially relevant information had been highly redacted. Second, stockholder plaintiffs had introduced evidence of high-level internal Facebook email communications on point. Plaintiffs had introduced a 2018 British parliamentary report that found improper conduct by the Facebook board and had released internal Facebook emails revealing the company’s intent to monetize users’ private data using highly risky methods.
The Belgian Data Protection Authority Issues Its First Fine under GDPR
By Valerie Surgenor and Rebecca Henderson
Last month the Belgian Data Protection Authority (“Belgian DPA”) issued its first fine under the General Data Protection Regulation (“GDPR”) since its entry into law on 25 May 2018 to a public official (the local mayor). The complaint was heard by the DPA’s Litigation Chamber, which is independent from the rest of the Belgian judicial system. The mayor in question was fined €2000 for the illegal use of personal data.
On 12 December 2018, data subjects submitted a complaint to the Belgian DPA as they had consented to the processing of their data for administrative mayoral duties in relation to a real estate project, not for the purposes for which it was subsequently used by the mayor. The mayor originally collected the email addresses in the context of the real estate project, however then used the personal data to send materials related to his election campaign. This was held to be a breach of Article 5(1)(b) of the GDPR (i.e. that personal data should only be collected for an explicit, legitimate and lawful purpose). The DPA’s Litigation Chamber stated “the personal data initially collected was not compatible with the purpose for which the data was further used by the mayor.”
It is unlikely the personal data contained any special category data given the moderate nature of the fine. When considering the level of fine to impose, the Belgian DPA considered the number of data subjects as well as the nature, seriousness and duration of the infringement. The DPA’s Litigation Chamber said that the mayor’s behaviour was a serious infringement of the GDPR and affirmed that controllers must take responsibility for GDPR compliance. The fine emphasises that data protection is everyone’s responsibility and highlighted that public officials who have a government mandate, such as mayors, must be particularly careful when using personal data for personal purposes. The mayor can appeal the decision of the Belgian DPA to the Brussels Markets Court.
The fine illustrates the strong stance the new Executive Board of the Belgian DPA will take in relation to breaches of data protection law. The decision is available in Dutch and can be found here.
FATF Issues Guidance on Virtual Assets
By Stephen T. Middlebrook, Womble Bond Dickinson
The Financial Action Task Force (FATF) issued Guidance for a Risk-Based Approach to Virtual Assets and Vritual Asset Service Providers. FATF is an international, inter-governmental body that develops policies and recommendations on to identify and prevent money laundering and terrorist financing in the global financial system. In this document, FATF makes recommendations on how governments should approach regulating what FATF calls “virtual assets” (VA) and “virtual asset service providers” (VASP). FATF endorses a risk-based approach to regulating VAs and VASPs and employs a broad definition of the term “virtual asset.” Among its many recommendations, FATF suggests that VASPs be subject to registration and licensing requirements, implement appropriate customer due diligence programs and identify beneficial owners of VAs.