Seyfarth Shaw is pleased to announce the launch of Carpe Datum Law, a one-stop resource for legal professionals seeking to stay abreast of fast-paced developments in eDiscovery and information governance, including data privacy, data security, and records and information management. Seyfarth’s eDiscovery and Information Governance (eDIG) practice group created Carpe Datum Law to serve
Cross Posted from California Peculiarities Employment Law Blog
Hernandez v. Sprouts Farmers Market, Inc., a case stemming from a phishing scam, emphasizes the need for California employers to implement comprehensive data protection and data breach notification policies and practices for personal employee information under the CDPA.
A story of a company suffering a data breach tops newspaper headlines almost daily. So how can you stay out of the “fuego,” and stay compliant with California laws about your employees’ and customers’ data?
California’s Data Protection Act—“Army Of One”
In 2003 California passed the nation’s first data breach notification statute: the CDPA. Since then, over 30 states have enacted similar statutes, but California remains the national leader in privacy and data security standards.
The CDPA mandates that any business that “owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” And it requires a company to notify affected individuals of a data breach “in the most expedient time possible and without unreasonable delay.”…
Cross Posted from Employment Law Lookout
Over the last decade, communication via email and text has become a vital part of how many of us communicate in the workplace. In fact, most employees could not fathom the idea of performing their jobs without the use of email. For convenience, employees often use one device for both personal and work-related communications, whether that device is employee-owned or employer-provided. Some employees even combine their personal and work email accounts into one inbox (which sometimes results in work emails being accidentally sent from a personal account). This blurring of the lines between personal and work-related communications creates novel legal issues when it comes to determining whether an employer has the right to access and review all work-related communications made by its employees.…
It is the beginning of 2016, and American companies are anxiously awaiting news of whether or not a new “Safe Harbor 2.0” will emerge. In October of 2015, the European Court of Justice declared invalid Safe Harbor 1.0 in the Schrems decision. This had an immediate effect on any American company collecting personal data from the EU by removing the legal basis for this kind of data transfer. As of October 2015, consumer, client, and even employee data cannot be legally transferred to the US under the Safe Harbor Framework.
Fortunately, the data protection regulators (“DPAs”)recognized the turmoil this decision created within the business community on both sides of the Atlantic. As a result, the Article 29 Working Party (which is the convention of DPAs from each of the EU Member States) issued an enforcement moratorium on enforcement actions until the end of January 2016, so that they could assess the effectiveness of data transfer tools available. As part of this moratorium, the Working Party called on “…Member States and European institutions to open discussions with U.S. authorities in order to find legal and technical solutions”; and that the “current negotiations around a new Safe Harbor could be part of the solution.”…
In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors. In addition to complying with breach notification requirements in as many as 47 different states in the event of a breach involving personally identifiable information, Department of Defense contractors now have to comply with the rapid notification rules issues by DOD in the even of a cyber incident involving covered defense information. These rules are noteworthy in that they require DOD contractors to report cyber incidents within 72 hours of discovering the incident. Most state breach notification statutes do not require that individuals be notified of a breach within a specific number of days and the few state statutes that do have such a requirement contain a much more lenient timeframe of 45 to 90 days. …
Today the European Court of Justice (“ECJ”) issued its Judgment in the Schrems case, and in doing so, added another tremor to the ongoing seismic shift related to cross-border privacy law. The two major elements of today’s Judgment are: 1) that Commission Decision 2000/520/EC of 26 July 2000 of the adequacy of the protection provided by the US Safe Harbor Framework (the “Safe Harbor Decision”) is invalid, and 2) even if the Safe Harbor Decision were otherwise valid, no decision of the Commission can reduce the authority of a national data protection authority to enforce data protection rights as granted by Article 28 of Directive 95/46/EC (the “DP Directive”).
Clearly, the first element brings a more immediate concern for all the companies participating in the Safe Harbor framework. However, the second element will have much longer term consequences for the stability of US-EU commerce and privacy law.…
With the recent uptick in the U.S. of lawsuits filed as a result of a data breaches, state legislators in the U.S. have been busy updating the many different state laws that dictate how a company must respond if they have been hacked and personal information has been compromised. With no comprehensive federal law that sets forth a uniform compliance standard, companies operating in the U.S. must comply with a patchwork of 47 different states laws that set forth a company’s obligations in the event of a data breach.
Additionally, the trend is to have more than just notice requirements. Now companies have to develop proactive steps they must take to avoid a data breach in the first place. We first saw this with the Massachusetts law, and the model is expanding.
In any case involving a data breach of customer or employee information, the first line of defense for the defendant is to assert that the plaintiff(s) lack standing to bring suit. In Remijas v. Neiman Marcus Group, the Seventh Circuit became the first United States Court of Appeals to tackle the issue of standing in the context of data breach litigation since the Supreme Court’s pronouncement on standing in Clapper. …
The plethora of security incidents in the news have once again put security front and center of the international agenda. Predictably, this has triggered a number of responses from governments around the world. Some of these responses seem to have been ill-considered. However, one of the more comprehensive responses came out of the US President’s address to the Federal Trade Commission last week. A series of laws were proposed to address the increasing risks which are confronting individual security and privacy rights.
The President’s remarks at the FTC gives some valuable insight into where the US regulatory environment may end up in the next year or so. As a part of this analysis, one should focus on two very different agendas: Privacy and Security. These issues, while similar, are very different. Case in point, the UK PM’s comment around banning encryption could well result in increased security. However, it will absolutely damage individual privacy (and arguably also damage commercial security).…
A company faced with a security breach has a lengthy “to do” list, things to accomplish with respect to its incident response plan. It must, among other things, determine the root cause of the vulnerability or breach, investigate and eliminate the vulnerability or breach, determine the full nature and extent of the breach, determine who to notify and finalize the notifications.
If the American Postal Workers Union (APWU) has its way, a unionized employer facing a security breach involving employee personal information would have yet another responsibility – bargaining over the impact of or response to the security breach.…