Jenner & Block

Consumer Law Round-Up

March 27, 2020 COVID-19 / Coronavirus

We are closely tracking and providing information on developments facing companies and organizations arising from the COVID-19 pandemic. In the latest alerts, our lawyers offer guidance on financial and tax relief provisions in Illinois; share observations of how landlords and real estate lenders are Noun_virus_1772453responding to defaulting tenants and borrowers; consider the effects of the crisis on M&A transactions; explore how social distancing affects ongoing environmental investigations and mediation; analyze how state and federal legislation may combat insurance coverage denials for COVID-19; and examine the Department of Labor’s guidance regarding expanded family and medical leave under the Families First Coronavirus Response Act. These alerts and others are available in the library of our COVID-19 / Coronavirus Resource Center

 

CATEGORIES: Decisions of Note, Employment, Privacy Data Security, Securities

March 18, 2020 COVID-19 / Coronavirus Resources

When we read the daily news, we see uncharted waters. Industries are being impacted overnight. We continue to do everything we can to support clients as they navigate these times. Our lawyers have provided practical insight into the legal and strategic challenges companies are facing. Jenner & Block has assembled a multi-disciplinary team, drawn from a variety of our practice areas and sector groups, to support clients as they navigate these uncharted waters. We also continue to update our COVID-19 / Coronavirus Resource Center.  It provides helpful and timely information on the legal and strategic challenges companies are facing.  Noun_virus_1772453Following is a list of some of those pieces.

Evaluating Force Majeure Clauses in Connection with the COVID-19 Outbreak

As governments and businesses take action to mitigate the impact of COVID-19, companies must consider whether and to what extent their existing contractual agreements oblige parties to perform while events related to COVID-19 are impacting the performance under those contracts. Many contracts contain force majeure clauses that may excuse performance in the face of COVID-19. These provisions are not uniform, and the scope of relief they afford may vary considerably based upon the language used, the jurisdictions involved, and the unique facts and circumstances of each case. We provide a brief overview here of how a force majeure clause may excuse performance with respect to COVID-19-related events. To read more, please click here.

SEC Reacts to COVID-19 Crisis and Issues Relief Relevant to Public Companies and Regulated Entities

On Friday, March 13, 2020, and over the subsequent weekend, the Securities and Exchange Commission (SEC) and its staff made announcements with guidance and/or relief for public companies and firms experiencing challenges because of COVID-19 / coronavirus. The SEC and its staff appear to have calibrated the guidance and relief to balance investors’ need for information with the practical realities of an unprecedented public health event. The SEC also emphasized that it is continuing to “assess impacts relating to the coronavirus on investors and market participants, and will consider additional relief from other regulatory requirements.” To read more, please click here.

Cybersecurity Concerns with Regard to Work-From-Home Policies

The COVID-19 outbreak is causing many companies to consider work-from-home programs for many of their employees. Any arrangement where employees are permitted to work from home poses a unique set of cybersecurity risks and challenges, but those risks are heightened when a majority of the work force are away from offices that are controlled. Ensuring that appropriate technical and administrative safeguards are in place prior to launching wide-scale work-from-home programs is critical to ensuring the safety of your network and data.  For considerations that businesses should take into account when implementing work from home programs, please click here.

To stay abreast of developments through this unprecedented situation, continue to monitor the Consumer Law Round-Up blog and visit the resource library for helpful reference materials.

 

CATEGORIES: Employment, Privacy Data Security

August 7, 2019 New York SHIELD Act Expands Data Security and Breach Notification Requirements

By: Kara K. Trowell

ShieldOn July 25, 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which significantly amended the state’s data breach notification law to impose additional data security and data breach notification requirements on covered entities.

Expanded Definitions.

Under the new law, the definitions of “private information” and “breach of the security system” have been revised in ways that broaden the circumstances that qualify as a data “breach” and could trigger the notification requirements.  First, private information has been expanded to include:

  • (a) financial account numbers that can be used alone to access a financial account;
  • (b) biometric data used to authenticate an individual’s identity;
  • (c) standalone data such as a user name or email address in combination with a password or security question and answer that would permit access to an online account; and
  • (d) unsecured protected health information covered under HIPAA.

These changes effectively expand the types of situations covered by the law that could result in a breach of system security and trigger the notification requirements.

Second, the circumstances that qualify as a “breach” have been expanded to now include incidents that involve “access” to private information, regardless of whether they resulted in “acquisition” of that information.

Expanded Coverage.

Moreover, the SHIELD Act also expanded its data breach notification requirements to mandate compliance by any person or business that owns or licenses computerized data that includes the private information of New York residents, regardless of whether the person or business conducts business in New York.  It provides for exemptions under certain circumstances, such as when the “exposure of private information” was an “inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”  Additionally, while businesses that are already regulated by and comply with data breach notice requirements under certain state and federal cybersecurity laws, such as HIPAA, GLBA and NY DFS Reg. 500, must also notify the state Attorney General, Department of State Division of Consumer Protection and Division of the State Police, they need not further notify affected New York residents.

New “Reasonable” Data Security Requirements.

The SHIELD Act also enacted requirements for covered entities to implement reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of sensitive data, and the law itself provides examples of “reasonable practices.”  Again, compliance is presumed for businesses that are already in compliance with applicable laws such as HIPAA and the GLBA.  Notably, there is a limited exemption to the requirement for small businesses, which are defined as any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets.

Enforcement and Penalties for Non-Compliance.

The SHIELD Act does not provide consumers with a private right of action, but instead permits an attorney general to bring an action to enjoin violations of the law and obtain civil penalties.  For data breach notification violations that are neither reckless nor knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice including consequential financial losses.  For reckless or knowing violations, a court may impose increased penalties of the greater of $5000 dollars or up to $20 per instance for a maximum of $250,000.  For violations of the reasonable safeguard requirements, a court may impose penalties of not more than $5,000 per violation.  The time for commencing an action under the law has also been increased from two to three years from the date on which the attorney general became aware of the violation, or the date that the covered entity provide notice of the breach.  No action may be brought after six years from the date the breach was discovered unless the company took steps to hide the breach.

The SHIELD Act takes effect on March 21, 2020.

CATEGORIES: Privacy Data Security

April 29, 2019 HUD Brings Housing Discrimination Charge Against Facebook

By Emily A. Bruemmer

HousingOn March 28, 2019, the US Department of Housing and Urban Development (HUD) filed a Charge of Discrimination against Facebook, alleging that Facebook violated the Fair Housing Act “by encouraging, enabling, and causing housing discrimination through the company’s advertising platform.”  This is an administrative action filed by the Secretary of HUD, on behalf of complainant Assistant Secretary for Fair Housing and Equal Opportunity, before the Office of Administrative Law Judges at HUD.  Unless any of the parties chooses to have the case heard in federal district court, an administrative law judge will hear the charge and may award damages, in addition to injunctive or other equitable relief, attorney fees, and fines.  HUD previously announced a formal complaint, initiated by the Secretary of HUD, against Facebook in August 2018.  The formal complaint was the first step in a process that then moved to a fact-finding investigation.  Last month’s charge indicates that the investigation resulted in a determination that there was reasonable cause to believe that Facebook violated the Fair Housing Act.

The Fair Housing Act prohibits making, printing, or publishing (or causing to be made, printed, or published) notices, statements, or advertisements related to the sale or rental of a dwelling that indicate “any preference, limitation, or discrimination based on race, color, religion, sex, handicap, familiar status, or national origin, or an intention to make any such preference, limitation, or discrimination.”  Here, HUD has alleged that Facebook violated that prohibition by allowing advertisers not only on its social media platforms but also across the Internet through its advertising services to select or exclude categories of recipients of housing-related advertising by making distinctions based on race, color, religion, sex, familial status, national origin, disability, and/or zip codes.  According to the charge, advertisers could use a map tool to exclude people who lived in specific areas by drawing red lines, evoking historical discrimination through “redlining.”

This enforcement action came just ten days after Facebook settled five lawsuits related to allegedly discriminatory advertising practices, including one by fair housing groups the National Fair Housing Alliance, Fair Housing Council of Greater San Antonio, Fair Housing Justice Center of New York, and Housing Opportunities Project for Excellence, Inc. of Miami related to Facebook’s housing advertisement practices, and one by the ACLU, the Communications Workers of America, and Outten & Golden LLP related to sex discrimination in employment advertisements.

As HUD General Counsel Paul Compton stated in the press release: “Fashioning appropriate remedies and the rules of the road for today’s technology as it impacts housing are a priority for HUD.”  Further, that HUD’s lawsuit follows Facebook’s settlements with private parties provides a reminder that settling lawsuits with private plaintiffs is no guarantee that a federal or state regulator will not bring its own, separate enforcement action.  The case will be an important one to watch.

CATEGORIES: Privacy Data Security

April 26, 2019 Facebook Announces Potential $5 Billion FTC Fine

By Emily A. Bruemmer

Facebook-privacyOn April 24, 2019, Facebook announced in its Q1 earnings release that it had set aside $3 billion and estimates that it may pay up to $5 billion in a fine related to the FTC’s ongoing inquiry into its “platform and user data practices.” Facebook entered into a settlement with the FTC related to its privacy practices in 2011, which has reportedly been re-opened. This would be the largest fine ever imposed by the FTC on a technology company. The possibility of a “multi-billion dollar fine” was first reported this February by The Washington Post.

CATEGORIES: Privacy Data Security

April 26, 2019 Facebook Announces Potential $5 Billion FTC Fine

By Emily A. Bruemmer

Facebook-privacyOn April 24, 2019, Facebook announced in its Q1 earnings release that it had set aside $3 billion and estimates that it may pay up to $5 billion in a fine related to the FTC’s ongoing inquiry into its “platform and user data practices.” Facebook entered into a settlement with the FTC related to its privacy practices in 2011, which has reportedly been re-opened. This would be the largest fine ever imposed by the FTC on a technology company. The possibility of a “multi-billion dollar fine” was first reported this February by The Washington Post.

CATEGORIES: Privacy Data Security

March 20, 2019 Facebook Announces New Privacy Initiative

By Emily A. Bruemmer

Smartphone computerOn March 6, 2019, Facebook CEO Mark Zuckerberg announced via an interview and a Facebook blog post a planned shift to “building a privacy-focused messaging and social networking platform.”  Characterizing this shift as a “privacy-focused vision,” Zuckerberg said that this change in focus meant that Facebook and Instagram would not only function as “the digital equivalent of a town square” but also “the digital equivalent of the living room.”  This shift was billed in part as a response to user demand: according to the post, the “fastest growing areas of online communication” were private messaging, “ephemeral stories,” and small group communication. 

According to the blog post, Facebook’s “privacy-focused platform” will be based on six principles: private interactions, encryption, reducing permanence, safety, interoperability, and secure data storage.  “Interoperability” refers to Facebook’s plan to integrate its messaging services across Facebook Messenger, WhatsApp, and Instagram Direct.  The blog post did not provide much detail on what these principles would mean in practice or what changes users would see from an experiential perspective, but rather qualified its efforts as being in the “early stages.”  

The blog post acknowledged Facebook’s reputation for not building “privacy protective services.”  In 2011, Facebook entered into a consent decree with the Federal Trade Commission (FTC) related to its privacy practices and has continued to face criticism for its privacy and data protection practices.  Indeed, just a few days prior to the announcement, news reports circulated regarding the ability to look up individuals on Facebook based on their telephone numbers, despite Facebook’s statements to users when they provided their telephone numbers that the number would be used for two-factor authentication.  Reports last year led to Facebook’s confirmation that the telephone numbers are also used for advertising. 

Some legislators and regulators have expressed concerns about information sharing between Facebook’s services. Last month, the German antitrust regulator issued a decision restricting Facebook from sharing information between services in the absence of users’ voluntary consent.  Facebook announced that it planned to appeal the decision.

CATEGORIES: Privacy Data Security

March 20, 2019 Facebook Announces New Privacy Initiative

By Emily A. Bruemmer

Smartphone computerOn March 6, 2019, Facebook CEO Mark Zuckerberg announced via an interview and a Facebook blog post a planned shift to “building a privacy-focused messaging and social networking platform.”  Characterizing this shift as a “privacy-focused vision,” Zuckerberg said that this change in focus meant that Facebook and Instagram would not only function as “the digital equivalent of a town square” but also “the digital equivalent of the living room.”  This shift was billed in part as a response to user demand: according to the post, the “fastest growing areas of online communication” were private messaging, “ephemeral stories,” and small group communication. 

According to the blog post, Facebook’s “privacy-focused platform” will be based on six principles: private interactions, encryption, reducing permanence, safety, interoperability, and secure data storage.  “Interoperability” refers to Facebook’s plan to integrate its messaging services across Facebook Messenger, WhatsApp, and Instagram Direct.  The blog post did not provide much detail on what these principles would mean in practice or what changes users would see from an experiential perspective, but rather qualified its efforts as being in the “early stages.”  

The blog post acknowledged Facebook’s reputation for not building “privacy protective services.”  In 2011, Facebook entered into a consent decree with the Federal Trade Commission (FTC) related to its privacy practices and has continued to face criticism for its privacy and data protection practices.  Indeed, just a few days prior to the announcement, news reports circulated regarding the ability to look up individuals on Facebook based on their telephone numbers, despite Facebook’s statements to users when they provided their telephone numbers that the number would be used for two-factor authentication.  Reports last year led to Facebook’s confirmation that the telephone numbers are also used for advertising. 

Some legislators and regulators have expressed concerns about information sharing between Facebook’s services. Last month, the German antitrust regulator issued a decision restricting Facebook from sharing information between services in the absence of users’ voluntary consent.  Facebook announced that it planned to appeal the decision.

CATEGORIES: Privacy Data Security