Global Privacy & Security Compliance Law Blog

Court Rules on D-Link Motion to Dismiss in FTC Matter

Posted in Security

By Michael RubinScott Jones, Cooper Rekrut

On September 19, 2017, Judge Donato of the Northern District of California ruled on Defendant D-Link System Inc.’s (D-Link) Motion to Dismiss, which challenged claims by the Federal Trade Commission (FTC) that D-Link’s conduct constituted unfair and deceptive trade practices in violation of Section 5 of the FTC Act.

The FTC’s complaint alleges that D-Link failed to implement adequate data security with respect to router and IP cameras it marketed and sold to the public. According to the FTC’s complaint, D-Link’s router and IP cameras were susceptible to well-known exploits and other vulnerabilities that left consumers at risk of compromise by hackers. The FTC alleged that these practices were both deceptive (contrary to D-Link’s representations about the security of their products) and unfair (caused or were likely to cause substantial injury to consumers). Continue Reading

Russia Introduces New Definition and Obligations for Audiovisual Service Owners

Posted in Legislative & Regulatory Developments

By Gail Crawford and Ksenia Koroleva

The Federal Law No. 87-FZ of May 1, 2017, on Amendments to the Federal Law on Information, Information Technologies, and Information Protection (the Law) came into force on July 1, 2017. The Law introduces the definition of an audiovisual service owner and regulates their activities, including imposing ownership restrictions.

The Notion of Audiovisual Service Owners

According to the Law, an audiovisual service owner is an owner of a website, a page of a website, an information system, and/or software (an Audiovisual Service):

  • Used for collating and providing access to audiovisual content
  • By paid subscription and/or funded by advertising
  • To users located in the territory of Russia
  • With more than 100,000 users a day (on average)

The following are not regarded an Audiovisual Service:

  • Information resources registered as online media in accordance with the Federal Law No. 2124-1 of December 27, 1991, on Mass Media (e.g., online media, TV-channels, TV/radio/video programs, etc.)
  • Search engines
  • Information resources which focus on hosting user-generated content under the criteria to be set by the Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications (Roscomnadzor) (e.g., YouTube, RuTube, Vimeo).

Continue Reading

Messaging Apps May Face New Obligations in Russia

Posted in Legislative & Regulatory Developments, Privacy

By Gail Crawford, Ksenia Koroleva, and Andrea StoutMoscow

The State Duma, Russia’s lower chamber of Parliament, has adopted amendments to the Federal Law on Information, Information Technologies and Information Protection of the Russian Federation (the Law) in its first reading. Under the proposed amendments, messaging apps would be required, among other things, to verify users through their telephone numbers and to distribute certain text messages at the request of government agencies. The amendments would also allow the Russian government to block messaging apps which continue to allow users to register anonymously.

The proposed amendments still have to go through the remaining stages of the legislative process, including two further readings in the State Duma, approval by the Federation Council (the upper chamber of the Russian Parliament) and signing by the President. Amendments are still possible during these later stages. If adopted, the amendments will come into force on 1 January 2018. By broadly defining both “information and communication service” and “instant messaging information and communication service,” the amended Law imposes new obligations on all messaging applications and operators. Under the amended Law, messaging apps would be required to: Continue Reading

The Countdown Continues: One Year to the GDPR

Posted in Privacy

By Gail Crawford, Ulrich Wuermeling, Calum Docherty

The General Data Protection Regulation (GDPR or Regulation) will become applicable in one year, as of May 25, 2018. A lot has happened since we set out the key provisions of the Regulation last year. As companies implement compliance programmes in efforts to protect data subjects and avoid hefty enforcement penalties, each EU Member State government has to pass implementation laws. Furthermore, regulators are slowly providing guidance on how to apply and interpret the GDPR.

What is happening in the EU Member States?LockRecord_384x144

The GDPR was drafted to “harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States” (Recital 3). Yet the GDPR itself provides a lot of leeway for Member States in its implementation, including room for derogations from at least 50 articles. This “margin of manoeuvre” (Recital 10) creates a degree of uncertainty for data controllers and data processors, and there are some areas where companies (especially those processing sensitive personal data, where Member States have the most flexibility) will need to wait and respond to what Member State governments are proposing. Continue Reading

Trump Administration Issues New Executive Order Focused on Strengthening Federal Cybersecurity

Posted in Legislative & Regulatory Developments, Security

By Steven Croley*, Jennifer Archie and Serrin Turner

The Trump Administration has issued a much anticipated Executive Order (EO),“Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” directing federal executive agency heads to undertake various cyber-related reviews and to report findings back to the White House Electricity_Pylon_singleColColorwithin prescribed timetables. Unlike some of the Trump Administration’s executive orders receiving much attention in recent weeks, this new cybersecurity EO does not aim to unwind policies put in place or initiatives undertaken by the Obama Administration. In fact, subsequent steps by the Trump Administration following the new EO may likely build upon the previous Administration’s efforts, which had assigned responsibilities to various executive departments serving as “sector specific” agencies for different sectors (energy, communications, transportation, and so on) with critical infrastructure. Continue Reading

Ransomware Attacks: When Is Notification Required?

Posted in Security
Ransomware Attacks: When Is Notification Required?

By Jennifer C. Archie, Serrin Turner and Marissa Boynton

Ransomware is one of the most prevalent cybersecurity threats afflicting businesses today. When an attack hits, a victim company must confront the difficult question whether to pay the ransom demanded in order to regain access to the company’s files and restore business operations. But there is an additional question the company may face: does the incident need to be disclosed? The answer may not be straightforward. When sensitive data has been encrypted by ransomware, has it been “accessed” or “acquired” by an unauthorized actor as those terms are used in relevant breach notification statutes? What risks are there that the attacker will use the information in a way that harms the individuals whose data is affected? Our Client Alert discusses these questions as well as other legal and technical issues a company should consider in addressing notification in the wake of a ransomware attack.

Continue Reading

Germany Implements GDPR

Posted in Privacy, Security

By Ulrich Wuermeling

Well ahead of the implementation deadline for the European General Data Protection Regulation (GDPR), the German Parliament (Bundestag) passed a new Federal Data Protection Act (Bundesdatenschutzgesetz) on April 27, 2017. The Federal Council (Bundesrat) could confirm the Act before the summer, but may require further amendments. If the Parliament and the Council fail to agree, the legislative process will have to start from the beginning after the German elections in September.

The new Act retains the old title of the Bundesdatenschutzgesetz, but the content has changed completely. The GDPR is directly applicable and, therefore, the Act only complements the GDPR or regulates areas outside the scope of it. Most of the 85 Articles of the new Act deal with the public sector and the implementation of the Law Enforcement Directive. However, it also includes some provisions for the private sector based on opening clauses that either allow or require national implementation. The main German modifications for the private sector are the following: Continue Reading

China Introduces Legislation that Enhances Personal Information Rights

Posted in Legislative & Regulatory Developments

By Julia DaiHui Xu and Sean Wu

On March 15, 2017, the National People’s Congress (the NPC), the national legislature of People’s Republic of China (the PRC), passed the General Provisions of the Civil Law (the General Provisions). To better protect rights and establish obligations for individuals and entities in modern China, the General Provisions have undergone a major “face lift,” including revisions and the addition of 50 new provisions to the existing 1986 version. Among these new provisions, the clauses introducing “Personal Information” rights and confirming “Data” protection are especially noteworthy.

A personal information right is now recognized as a civil law right and thus creates a private right for tort action. While the definition and scope of “personal information” is currently ambiguous, the Supreme People’s Court is expected to issue its judicial interpretation to the General Provision. In the meantime, other legislation such as the Network Security Law offers the best context by which to assess the possible scope of the term.

Continue Reading

China Issues Draft Measures to Restrict the Overseas Transmission of Personal Data

Posted in Legislative & Regulatory Developments, Privacy

By Hui Xu, Gail E. Crawford, Wei-Chun (Lex) Kuo, Andrea E. Stout and Sean Wu

The Cyberspace Administration of China (CAC) issued Draft Measures for public comment on April 11 on Security Assessment for Cross-border Transmission of Personal Information and Critical Data (the Draft Measures). The Draft Measures provide further clarification surrounding the “localization” requirement and the transmission limitation on personal information and critical data that was adopted in Article 37 of the Network Security Law. In addition, the Draft Measures propose a new mechanism to guide critical information infrastructure operators (CII operators) should they have a valid business need to transmit personal information and data outside of China.

While the definitions of “Data Transmission to Overseas” and “Critical Data” are consistent with the Network Security Act, the Draft Measures’ existing definitions do not specify whether “located out of China” applies virtually, as well as physically.

Notably, the scope of the localization requirement and transmission ban are essentially extended to all internet operators, individuals and organizations. While the Network Security Law sets restrictions on CII operators, articles 2 and 16 of the Draft Measures support subjecting all entities and individuals to the requirement that personal information and critical data gathered in China should be stored in China, as well as requiring that a security assessment is conducted before such data is transmitted out of China for business need.

Continue Reading

US Magistrate Judge Upholds Search Warrants for Google Data Stored Overseas, “Shards” and All

Posted in Legislative & Regulatory Developments, Privacy, Security

By Serrin Turner and Megan Behrman

Another front recently emerged in the legal battle over whether US law enforcement authorities can use a search warrant issued under the Stored Communications Act (SCA) to obtain data stored overseas. Until now, the battle has been focused in New York, where Microsoft filed a challenge in December 2013 to an SCA warrant for an Outlook.com e-mail account stored on a server in Ireland. Last summer, the US Court of Appeals for the Second Circuit sustained Microsoft’s challenge, holding that the use of an SCA warrant to obtain data stored overseas would constitute an impermissible extraterritorial application of the statute. On January 24, 2017, the Second Circuit declined to rehear the case en banc. It remains to be seen whether the Government will petition the Supreme Court to hear the case.

For the moment, however, the action has shifted to Philadelphia, where Google is litigating a similar issue. On February 3, 2017, US Magistrate Judge Thomas J. Rueter of the Eastern District of Pennsylvania issued a decision compelling Google to comply with search warrants issued under the SCA for two separate Google accounts. Google initially refused to comply fully with the warrants, relying on the Second Circuit’s decision in the Microsoft case. Because the data associated with the two Google accounts at issue is distributed across multiple servers in a variety of jurisdictions, Google sought to comply with the Microsoft ruling by turning over only the account data stored on servers located in the United States, while withholding any account data stored on servers abroad. Judge Rueter, however, disagreed with the reasoning of the Second Circuit’s decision in the Microsoft case—which was not binding on him, as Philadelphia sits within the Third Circuit—and ordered Google to produce all of the account data in response to the warrants, regardless of its physical location. Continue Reading

LexBlog