CURRENT MONTH (April 2018)
Data Privacy
South Dakota Joins the Club by Passing a Data Breach Notification Law
By Jesse L. Noa, Potter Anderson & Corroon LLP
On March 21, 2018, South Dakota joined 48 other states by enacting its data breach notification law. Effective July 1, 2018, the law requires that any person or entity doing business in South Dakota that owns or licenses “personal information” or “protected information” of South Dakota residents must provide notification to affected residents in the event of a “breach of system security.” Absent limited exceptions, notice must be sent within 60 days of discovery of the breach to any resident whose information was, or is reasonably believed to have been, acquired by an unauthorized person. Notice must also be provided to the attorney general if the breach impacts more than 250 residents. Like many other states, South Dakota provides a safe harbor for encrypted data, provided that the encryption key is not implicated as part of the breach. Violation of the law can carry steep penalties. The attorney general can seek up to $10,000 per day per violation in addition to other remedies, including possible criminal prosecution, as well as recovery of attorneys’ fees. Further, while not explicit, the law’s incorporation of South Dakota’s Deceptive Trade Practices Act raises a question regarding whether there is a private right of action under the new law.
Last, but Not Least: Alabama Enacts a Data Breach Notification Law
By Jesse L. Noa, Potter Anderson & Corroon LLP
On March 28, 2018, Alabama became the last state to enact a data breach notification law. Effective May 1, 2018, the law requires that covered individuals, entities, and their vendors proactively implement and maintain reasonable security measures to protect “sensitive personally identifying information.” Notification, which must include specific information, must be sent to any Alabama resident who may be a victim of the breach if it is determined that there is a reasonable likelihood that the breach will cause that resident substantial harm. This notification requirement expands to include attorney general and consumer reporting agencies if the breach involves 1,000 or more Alabama residents. Absent certain exceptions, notification must be provided no later than 45 days from the date of a qualifying breach. Alabama, like many other states, provides a safe harbor for encrypted data, but only if the encryption key is not implicated as part of the breach. The Alabama Attorney General has the exclusive authority to bring civil penalties under the new law, which can include up to $5,000 per day for failure to take reasonable actions to comply with the notification requirements.
Department of Commerce Provides Update on Recent Developments Concerning the EU-U.S. and Swiss U.S. Privacy Shield Frameworks
By Michael Silvestro, Skarzynski Black LLC
The Department of Commerce’s International Trade Administration has published an update on actions taken by the U.S. to support the EU-US and Swiss-US Privacy Shield Frameworks from January 2017 through March 2018. The ITA explains that the Department of Commerce has implemented more rigorous certification reviews and expanded compliance reviews, including random spot checks to verify access to points of contact and maintenance of certification requirements. In addition, in January 2018 a slate of arbitrators was confirmed to ensure that EU individuals have recourse to arbitration; the Department of Commerce and Swiss Administration are working to finalize the arbitration process for Swiss individuals. The update also includes a number of national security implications, including information about the Privacy and Civil Liberties Oversight Board (PCLOB, the Privacy Shield Ombudsman, and the reauthorization of FISA Section 702.
Digital Currency
New York AG Opens New Regulatory Avenue For Cryptocurrency Exchanges
By Jonathan Sorkowitz, Skarzynski Black LLC
New York Attorney General Eric Schneiderman sent a questionnaire to leading virtual currency exchanges on April 17 which may open a second regulatory front for such businesses in New York. The AG is requesting wide-ranging disclosures about the business practices of the exchanges, asserting authority to protect investors and to investigate and sue over deceptive and unfair trade practices under New York GBL §§ 349 and 352. Previously, in 2015, the New York State Department of Financial Services (DFS) issued first-in-the-nation regulations unofficially known as the ‘BitLicense’ rule, intended to vet businesses for stability and integrity before letting them operate, impose capital controls, and provide for disclosures. However, the AG’s questionnaire asks for wide-ranging information concerning business practices that may not have been provided to DFS. The targets of the AG’s information request includes some firms that already have BitLicenses. While surely there is a legitimate need for the AG’s watchful eye in the developing cryptocurrency space, regulators seeking to make New York a hub for such businesses will need to be careful not to work at cross-purposes. Exchanges, for their part, should exercise caution and realize that even if a BitLicense is required of them it will not protect them from the AG’s scrutiny. The AG published a press release with additional information.
Internet Law
Pro Net Neutrality Commissioner Mignon Clyburn resigns from FCC
By Katherine J. Kim, Spark IP Law
Net neutrality advocate, Mignon Clyburn stepped down as a commissioner for the Federal Communications Commission last week after serving over eight years at the agency. In 2013, Obama-appointed Clyburn was the first Acting Chairwoman of the FCC, then subsequently worked with the new chairman, Tom Wheeler, in passing the pro net neutrality Open Internet Order in 2015 that reclassified telecoms as utilities under the Communications Act of 1934. The Open Internet Order was repealed in December 2017 by the FCC led by Trump appointed chair, Ajit Pai. She was also a vocal critic of the exorbitant rates that prison inmates were charged for phone calls and supported the low-income phone subsidy program, Lifeline, to cover broadband service. For more information: https://www.fcc.gov/document/commissioner-carrs-statement-commissioner-clyburns-departure
Researchers Have Standing to Challenge CFAA for Violating Website TOU
By Sara Beth A.R. Kohut
The U.S. District Court for the District of Columbia recently held that certain law professors and a media organization had standing to challenge the federal statute that criminalizes their plans to intentionally violate website terms of service for the purposes of researching whether those websites engage in discrimination. In Sandvig v. Sessions, No. 16-1368 (JDB) (D.C. Mar. 30, 2018), the plaintiffs planned to employ bots, data scraping, false accounts, and other techniques, which were prohibited by the terms of use of their research-target websites, to research whether the websites’ algorithms unintentionally have a prohibited discriminatory effect. The plaintiffs challenged a provision of the Computer Fraud and Abuse Act (CFAA) that penalizes a person who accesses information on computers used in interstate commerce without appropriate authorization. The court found that the plaintiffs’ pleadings were sufficient to establish standing to bring First and Fifth Amendment claims. Interestingly, the court noted that utilizing false accounts for research would fall under the CFAA, while the use of data scraping and bots would not be covered by the CFAA because they were “technological tools for humans to more efficiently collect and process information that they could otherwise access manually.”