Eye On Privacy

Timely Updates and Analysis on Privacy and Cybersecurity Issues

The UK Information Commissioner’s Office recently released helpful encryption guidance. Although released to address the GDPR security requirements, this document may be helpful more broadly because of the detail around encryption the ICO provides. In the guidance, the ICO points to certain types of encryption (symmetric and asymmetric) and when to use the different methods. The ICO also clarifies that “hashing” is not encryption, two things that are often confused. The ICO also gives information…
The Food & Drug Administration has recently released for comment a draft expansion of guidance regarding Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Although the FDA issued existing guidance in 2014, the new guidance reflects concerns about the rapidly-changing nature of cybersecurity threats, and the potentially grave consequences of cybersecurity incidents involving healthcare and medical devices—particularly medical devices which connect to the internet, networks, or other devices. The draft guidance gives…
On Election Day 2018, in the State that boasts the official motto of “Live Free or Die,” over 80% of New Hampshire voters overwhelmingly approved an amendment to the State Constitution enshrining an explicit “right to privacy” to New Hampshire residents. Question 2 on New Hampshire ballots asked voters to approve (or reject) the following language to the New Hampshire Constitution: An individual’s right to live free from governmental intrusion in private or personal information…
Companies doing business in China may see an increase in enforcement actions with the enactment of a new cybersecurity regulation and the enforcement powers of the Public Security Bureaus (PSBs) officially codified. The regulation – Provisions on Internet Security Supervision and Inspection by Public Security Organs – is now in effect, more than a year after the enactment of the country’s Cybersecurity Law.…
In the recent case of Marks v. Crunch San Diego, LLC, 904 F.3d 1041 (9th Cir. 2018) the Ninth Circuit broadly interpreted the TCPA’s definition of automatic telephone dialing system (often referred to as ATDS) to include devices with the capacity to dial stored numbers automatically. The device at issue in Marks is called the “Textmunication” system, which the Court described as “a web-based marketing platform designed to send promotional text messages to a list…
UK supermarket chain Morrisons has been held vicariously liable for the acts of a malicious employee in the UK’s first data leak class action. The issue began in 2014, when a disgruntled Morrison’s internal IT auditor posted to a public file-sharing website the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details). The employee was found criminally liable in 2015 and jailed for eight years. A…
The Federal Trade Commission recently issued a cyber guide that, while intended for small businesses, can be of help for all businesses. The purpose of the guide, which includes various modules, is to help smaller businesses address data security threats. These modules follow guidance the FTC issued in April, stressing the importance of cyber security preparedness and the help the FTC intended to give to small businesses on that front.…
Effective November 2, 2018, companies that suffer a breach may have certain defenses in Ohio if they have a written cybersecurity program in place. Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, and that failure resulted in a breach. The definition of breach (and personal information that if impacted gives rise…
The New Jersey attorney general recently announced its settlement with software company LightYear Dealer Technologies, LLC- doing business as DealerBuilt- over a 2016 data breach. The company provides its clients, car dealerships, software to organize and manage both customer and employee information. That information includes drivers’ license numbers, Social Security numbers, and financial account information. According to the AG’s order, the company misconfigured a file synchronizing program. As a result, sensitive information was available…