Latest Articles

Today, our blog takes a detour from advising on the CPSC and FTC to update you on a lesser-known law that can have major compliance consequences for appliance manufacturers and importers: the Energy Policy and Conservation Act, or “EPCA.” Background EPCA was born out of legislation in the late 1970s, which authorized the setting of non-binding “energy efficiency improvement targets” for 13 categories of appliances. Congress beefed up the statute in the 1980s to impose…
After over a decade, the first action has been filed that may test the bounds of the Support Anti-Terrorism by Fostering Effective Technologies Act (“SAFETY Act”) of 2002. MGM Resorts International recently filed suit related to the October 2017 Mandalay Bay country music concert shooting, asking a federal court to rule that it cannot be held liable because the security technology used at the concert was certified by the Department of Homeland Security (“DHS”) under…
The Colorado legislature recently passed a new data privacy law, House Bill 18-1128, which heightens requirements for corporate and public entities handling personal information of Colorado residents.  Effective September 1, 2018, the law aims to strengthen consumer data privacy by 1) shortening the time frame required to notify affected Colorado residents and the Attorney General of a data breach within 30 days of determining a data breach occurred; 2) requiring business and third party…
The U.S. Court of Appeals for the Seventh Circuit (the “7th Circuit”) recently issued an opinion in Heather Dieffenbach, et al. v. Barnes & Noble, Inc. that is potentially concerning for current and potential defendants in class action claims related to data breaches.  The case relates to a 2012 incident where Barnes & Noble discovered that attackers had compromised some of the PIN pads they used to verify customer payment information.  The attackers then used…
The Federal Energy Regulatory Commission (“FERC”) recently proposed that the North American Electric Reliability Corporation (“NERC”), which is responsible for promulgating and enforcing FERC-approved mandatory electric reliability standards, revise its Critical Infrastructure Protection (“CIP”) standards to require additional circumstances under which reporting of cybersecurity incidents is mandatory.   FERC’s goal is to enhance the awareness of existing or developing threats, including incidents that might enable future harm to the nation’s bulk electric system. NERC’s current CIP…
On 29 March 2017, the U.K.’s Prime Minister, Theresa May, formally began the Brexit process by giving notice pursuant to Article 50 of the Treaty on European Union of the U.K.’s intention to withdraw from the EU. Since then, the parties have held three rounds of negotiations. Frustration has been expressed in some quarters by the pace of these negotiations and a perceived lack of clarity of the U.K. government’s ultimate goals for Brexit. Against…
On October 25, 2016, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a new Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime as well as a related list of Frequently Asked Questions (FAQs). The Advisory provides guidance to financial institutions on FinCEN’s expectations with regard to: (1) reporting cyber-enabled crime and cyber-events through Suspicious Activity Reports (SARs); (2) including relevant and available cyber-related information (e.g., Internet Protocol (IP) addresses with timestamps,…
Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group; ICO publishes report on data security incident trends. Bavarian DPA: fines under GDPR to be calculated based on revenues of whole company group On September 01, 2016, the German Data Protection Authority of Bavaria (BayLDA) has announced that according to their understanding, sanctions under the GDPR will be calculated based on the revenue of a whole company group. According to…
ICO investigating into Facebook and WhatsApp Data Sharing Plans; Germany and France publish joint action plan against encryption; PrivacyShield now covering 200 U.S. companies. UK DPA investigating into Facebook and WhatsApp Data Sharing Plans The United Kingdom’s Information Commissioner (‘ICO’) is taking a closer look into WhatsApp’s plan to share more user data with parent company Facebook for the purposes of targeted advertising. According to a recent WhatsApp blog post, WhatsApp has changed its…
First self-certifications accepted under Privacy Shield; EU Commission considers extension of telecommunication rules to apps. U.S. Department of Commerce accepts first bunch of self-certifications under Privacy Shield About 2 weeks after the announced start of the certification procedure under the “EU-U.S. Privacy Shield” (‘Privacy Shield’) on August 1, 2016, the U.S. Department of Commerce (‘DoC’) has officially granted certification status to a first set of approximately 40 U.S.-based multinational companies. According to a DoC spokesperson,…