Privacy Report: Corporate Boards - Don’t Underestimate Your Role in Data Security Oversight
Corporate Boards: Don’t Underestimate Your Role in Data Security Oversight
The Federal Trade Commission (FTC) continues to put emphasis on the importance of corporate board involvement in privacy and data security. It states, “[I]t’s essential for corporate boards to do what they can to ensure that consumer and employee data is protected.” The FTC’s recent statement includes five recommendations for corporate boards: (1) make data security a priority, (2) understand the cybersecurity risks and challenges your company faces, (3) don’t confuse legal compliance with security, (4) it’s more than just prevention – take reasonable precautions, and (5) learn from mistakes.
Statement by FTC Acting Chairwoman Rebecca Kelly Slaughter on the U.S. Supreme Court Ruling Affecting the FTC’s Ability to Obtain Restitution
Federal Trade Commission Acting Chairwoman Rebecca Kelly Slaughter issued the following statement regarding the decision from the U.S. Supreme Court in the matter of AMG Capital Management LLC v. FTC: “In AMG Capital, the Supreme Court ruled in favor of scam artists and dishonest corporations, leaving average Americans to pay for illegal behavior. With this ruling, the Court has deprived the FTC of the strongest tool we had to help consumers when they need it most. We urge Congress to act swiftly to restore and strengthen the powers of the agency so we can make wronged consumers whole.” In this case, the U.S. Supreme Court held that Section 13(b) of the Federal Trade Commission Act does not authorize the FTC to seek “equitable monetary relief such as restitution or disgorgement.” The FTC heavily relies on Section 13(b) for its privacy and cybersecurity enforcement, because unreasonable cybersecurity or privacy practices are considered “unfair practices” or “misleading.” Despite this ruling, the commission is still able to seek restitution, but only after conducting a full proceeding before an agency administrative law judge. express, and opt-in consent” for requests involving the collection, sale, sharing, or other disclosure of sensitive personal information.
Scraping and Sale of Personal Data From LinkedIn
LinkedIn has issued a statement on reports regarding the sale of scraped LinkedIn data. LinkedIn clarified that the data set included publicly viewable profile data only, and did not include private member account data. LinkedIn says, “We have investigated an alleged set of LinkedIn data that has been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies.” Although LinkedIn states that this was not a data breach, several regulators have released press statements announcing investigations into this incident. Regulator announcements and inquiries can be found at the following links: Italy’s data protection authority’s press release here, Hong Kong Office of the Privacy Commissioner for Personal Data’s press release here, Luxembourg‘s data protection authority’s press release here, and Switzerland’s Federal Data Protection and Information Commissioner’s press release here.
Patient Data Interoperability Regulations Come Into Force
Through the Cures Act, Congress defined “information blocking” and established penalties for those who engage in practices that interfere with the access, exchange, or use of “electronic health information” (EHI). The Office of the National Coordinator for Health Information Technology (ONC) announced that starting April 5, 2021, the following participants in health care will need to follow the Cures Act final rule on data interoperability: 1) health care providers, 2) health IT developers of certified health IT, and 3) health information networks/health information exchanges. ONC will continue to release education materials and communicate with stakeholders about the information blocking regulations.
Aiming for Truth, Fairness, and Equity in your Company’s Use of AI
Advances in artificial intelligence (AI) technology promise to revolutionize our approach to medicine, finance, business operations, media, and more. While the sophisticated technology may be new, the FTC’s attention to automated decision making is not. Among other things, the FTC has used its expertise with these laws to report on big data analytics and machine learning; to conduct a hearing on algorithms, AI and predictive analytics; and to issue business guidance on AI and algorithms. This work – coupled with FTC enforcement actions – offers important lessons on using AI truthfully, fairly, and equitably. The FTC’s press statement on FTC consumer protection principles in the use of AI included signals that it will take enforcement actions if companies do not hold themselves accountable when using AI.
Second Circuit: Plaintiffs Have Standing to Sue for Increased Risk of Identity Theft
In April 2021, the Second Circuit issued a decision recognizing an increased risk of future, unrealized identity theft or fraud as a basis for establishing Article III standing. This decision may clear a path for relief for victims of identity theft who have historically faced difficulty in establishing Article III standing. In its decision, the Court put forth the following, non-exhaustive three-factor test for determining whether risk of identity theft or fraud is sufficient to confer Article III standing: (1) Whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) Whether any portion of the dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) Whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.
Google Following Apple's Lead On Mobile App Disclosures
Google made a “pre-announcement” on privacy disclosures that will be required for new mobile app submissions and mobile app updates starting Q2 2022. Google will be sharing more details on the new policy requirements this coming summer, including detailed guidance on mobile app privacy policies. Developers will be asked to share what type of data is collected and stored (e.g., contacts, personal information, photos and videos), as well as how the data is used (e.g., app functionality and personalization).
Proposed Regulation on Artificial Intelligence
The European Commission proposes new rules and actions for trustworthy Artificial Intelligence (AI). The press release states that “proportionate and flexible rules will address the specific risks posed by AI systems and set the highest standard worldwide” and follow a risk-based approach. AI systems considered a clear threat to the safety, livelihoods and rights of people will be banned. This includes AI systems or applications that manipulate human behavior to circumvent users' free will (e.g. toys using voice assistance encouraging dangerous behavior of minors) and systems that allow social scoring by governments.
Belgian Data Protection Authority Issues Guidance on Data Sanitization and Destruction
Controllers are required, under penalty of sanctions, to comply with Article 5.1.e of the GDPR, which provides that “personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.” When this period is exceeded, the controller must anonymize these data or permanently destroy them. The Belgian Data Protection Authority released a guidance to assist controllers with sanitization and destruction of personal data. The guidance provides various sanitization techniques and also provides more general guidance on related requirements for data sanitization and destruction, including verification and recording results.
Brazil Appoints First Data Protection Authority and Creates Working Group
The Brazilian data protection authority (ANPD) has appointed Thiago Guimarães Moraes as its first data protection officer. Tatiana Freitas de Oliveira was also appointed as a substitute. In addition to the data protection officer and substitute data protection officer, the ANPD created a working group to draft guidelines, propose actions, and monitor measures to adapt the Brazilian national privacy law (LGPD). The working group will specifically prepare a Privacy Governance Program, coordinate compliance with the LGPD and ANPD policies, and provide guidance when requested.
Brazil Issues Guide on Requirements for IT Contracts
Brazil released a “Guide on Requirements and Obligations regarding Information Security and Privacy” for public institutions. The guidance specifies minimum requirements for information security and privacy in IT contacts. The guidance addresses several topics including the following: business continuity and contingency; security event and incident logs, vulnerability analysis, privacy and security requirements, and responsibilities between the contracting parties. The guide is only available in Portuguese here.
China’s Personal Information Protection Law is Open for Public Comments
China issued the second draft of its Personal Information Protection Law at the end of April. The draft is open for public comments through May 28, 2021. The text of the second draft and comment submission page is only available in Chinese and may be accessed here. The second draft contains several material changes on the following topics: consent for processing children’s data, consent and revoking consent, protections for the personal data of deceased individuals, and additional requirements for data processors that provide online platform services to a large number of users.
- Related Practices