Jenner & Block

Consumer Law Round-Up

August 7, 2019 New York SHIELD Act Expands Data Security and Breach Notification Requirements

By: Kara K. Trowell

ShieldOn July 25, 2019, New York enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which significantly amended the state’s data breach notification law to impose additional data security and data breach notification requirements on covered entities.

Expanded Definitions.

Under the new law, the definitions of “private information” and “breach of the security system” have been revised in ways that broaden the circumstances that qualify as a data “breach” and could trigger the notification requirements.  First, private information has been expanded to include:

  • (a) financial account numbers that can be used alone to access a financial account;
  • (b) biometric data used to authenticate an individual’s identity;
  • (c) standalone data such as a user name or email address in combination with a password or security question and answer that would permit access to an online account; and
  • (d) unsecured protected health information covered under HIPAA.

These changes effectively expand the types of situations covered by the law that could result in a breach of system security and trigger the notification requirements.

Second, the circumstances that qualify as a “breach” have been expanded to now include incidents that involve “access” to private information, regardless of whether they resulted in “acquisition” of that information.

Expanded Coverage.

Moreover, the SHIELD Act also expanded its data breach notification requirements to mandate compliance by any person or business that owns or licenses computerized data that includes the private information of New York residents, regardless of whether the person or business conducts business in New York.  It provides for exemptions under certain circumstances, such as when the “exposure of private information” was an “inadvertent disclosure and the individual or business reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials.”  Additionally, while businesses that are already regulated by and comply with data breach notice requirements under certain state and federal cybersecurity laws, such as HIPAA, GLBA and NY DFS Reg. 500, must also notify the state Attorney General, Department of State Division of Consumer Protection and Division of the State Police, they need not further notify affected New York residents.

New “Reasonable” Data Security Requirements.

The SHIELD Act also enacted requirements for covered entities to implement reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of sensitive data, and the law itself provides examples of “reasonable practices.”  Again, compliance is presumed for businesses that are already in compliance with applicable laws such as HIPAA and the GLBA.  Notably, there is a limited exemption to the requirement for small businesses, which are defined as any business with fewer than 50 employees, less than $3 million in gross annual revenue in each of the last three years, or less than $5 million in year-end total assets.

Enforcement and Penalties for Non-Compliance.

The SHIELD Act does not provide consumers with a private right of action, but instead permits an attorney general to bring an action to enjoin violations of the law and obtain civil penalties.  For data breach notification violations that are neither reckless nor knowing, a court may award damages for actual costs or losses incurred by a person entitled to notice including consequential financial losses.  For reckless or knowing violations, a court may impose increased penalties of the greater of $5000 dollars or up to $20 per instance for a maximum of $250,000.  For violations of the reasonable safeguard requirements, a court may impose penalties of not more than $5,000 per violation.  The time for commencing an action under the law has also been increased from two to three years from the date on which the attorney general became aware of the violation, or the date that the covered entity provide notice of the breach.  No action may be brought after six years from the date the breach was discovered unless the company took steps to hide the breach.

The SHIELD Act takes effect on March 21, 2020.

CATEGORIES: Privacy Data Security

April 29, 2019 HUD Brings Housing Discrimination Charge Against Facebook

By Emily A. Bruemmer

HousingOn March 28, 2019, the US Department of Housing and Urban Development (HUD) filed a Charge of Discrimination against Facebook, alleging that Facebook violated the Fair Housing Act “by encouraging, enabling, and causing housing discrimination through the company’s advertising platform.”  This is an administrative action filed by the Secretary of HUD, on behalf of complainant Assistant Secretary for Fair Housing and Equal Opportunity, before the Office of Administrative Law Judges at HUD.  Unless any of the parties chooses to have the case heard in federal district court, an administrative law judge will hear the charge and may award damages, in addition to injunctive or other equitable relief, attorney fees, and fines.  HUD previously announced a formal complaint, initiated by the Secretary of HUD, against Facebook in August 2018.  The formal complaint was the first step in a process that then moved to a fact-finding investigation.  Last month’s charge indicates that the investigation resulted in a determination that there was reasonable cause to believe that Facebook violated the Fair Housing Act.

The Fair Housing Act prohibits making, printing, or publishing (or causing to be made, printed, or published) notices, statements, or advertisements related to the sale or rental of a dwelling that indicate “any preference, limitation, or discrimination based on race, color, religion, sex, handicap, familiar status, or national origin, or an intention to make any such preference, limitation, or discrimination.”  Here, HUD has alleged that Facebook violated that prohibition by allowing advertisers not only on its social media platforms but also across the Internet through its advertising services to select or exclude categories of recipients of housing-related advertising by making distinctions based on race, color, religion, sex, familial status, national origin, disability, and/or zip codes.  According to the charge, advertisers could use a map tool to exclude people who lived in specific areas by drawing red lines, evoking historical discrimination through “redlining.”

This enforcement action came just ten days after Facebook settled five lawsuits related to allegedly discriminatory advertising practices, including one by fair housing groups the National Fair Housing Alliance, Fair Housing Council of Greater San Antonio, Fair Housing Justice Center of New York, and Housing Opportunities Project for Excellence, Inc. of Miami related to Facebook’s housing advertisement practices, and one by the ACLU, the Communications Workers of America, and Outten & Golden LLP related to sex discrimination in employment advertisements.

As HUD General Counsel Paul Compton stated in the press release: “Fashioning appropriate remedies and the rules of the road for today’s technology as it impacts housing are a priority for HUD.”  Further, that HUD’s lawsuit follows Facebook’s settlements with private parties provides a reminder that settling lawsuits with private plaintiffs is no guarantee that a federal or state regulator will not bring its own, separate enforcement action.  The case will be an important one to watch.

CATEGORIES: Privacy Data Security

April 26, 2019 Facebook Announces Potential $5 Billion FTC Fine

By Emily A. Bruemmer

Facebook-privacyOn April 24, 2019, Facebook announced in its Q1 earnings release that it had set aside $3 billion and estimates that it may pay up to $5 billion in a fine related to the FTC’s ongoing inquiry into its “platform and user data practices.” Facebook entered into a settlement with the FTC related to its privacy practices in 2011, which has reportedly been re-opened. This would be the largest fine ever imposed by the FTC on a technology company. The possibility of a “multi-billion dollar fine” was first reported this February by The Washington Post.

CATEGORIES: Privacy Data Security

April 26, 2019 Facebook Announces Potential $5 Billion FTC Fine

By Emily A. Bruemmer

Facebook-privacyOn April 24, 2019, Facebook announced in its Q1 earnings release that it had set aside $3 billion and estimates that it may pay up to $5 billion in a fine related to the FTC’s ongoing inquiry into its “platform and user data practices.” Facebook entered into a settlement with the FTC related to its privacy practices in 2011, which has reportedly been re-opened. This would be the largest fine ever imposed by the FTC on a technology company. The possibility of a “multi-billion dollar fine” was first reported this February by The Washington Post.

CATEGORIES: Privacy Data Security

March 20, 2019 Facebook Announces New Privacy Initiative

By Emily A. Bruemmer

Smartphone computerOn March 6, 2019, Facebook CEO Mark Zuckerberg announced via an interview and a Facebook blog post a planned shift to “building a privacy-focused messaging and social networking platform.”  Characterizing this shift as a “privacy-focused vision,” Zuckerberg said that this change in focus meant that Facebook and Instagram would not only function as “the digital equivalent of a town square” but also “the digital equivalent of the living room.”  This shift was billed in part as a response to user demand: according to the post, the “fastest growing areas of online communication” were private messaging, “ephemeral stories,” and small group communication. 

According to the blog post, Facebook’s “privacy-focused platform” will be based on six principles: private interactions, encryption, reducing permanence, safety, interoperability, and secure data storage.  “Interoperability” refers to Facebook’s plan to integrate its messaging services across Facebook Messenger, WhatsApp, and Instagram Direct.  The blog post did not provide much detail on what these principles would mean in practice or what changes users would see from an experiential perspective, but rather qualified its efforts as being in the “early stages.”  

The blog post acknowledged Facebook’s reputation for not building “privacy protective services.”  In 2011, Facebook entered into a consent decree with the Federal Trade Commission (FTC) related to its privacy practices and has continued to face criticism for its privacy and data protection practices.  Indeed, just a few days prior to the announcement, news reports circulated regarding the ability to look up individuals on Facebook based on their telephone numbers, despite Facebook’s statements to users when they provided their telephone numbers that the number would be used for two-factor authentication.  Reports last year led to Facebook’s confirmation that the telephone numbers are also used for advertising. 

Some legislators and regulators have expressed concerns about information sharing between Facebook’s services. Last month, the German antitrust regulator issued a decision restricting Facebook from sharing information between services in the absence of users’ voluntary consent.  Facebook announced that it planned to appeal the decision.

CATEGORIES: Privacy Data Security

March 20, 2019 Facebook Announces New Privacy Initiative

By Emily A. Bruemmer

Smartphone computerOn March 6, 2019, Facebook CEO Mark Zuckerberg announced via an interview and a Facebook blog post a planned shift to “building a privacy-focused messaging and social networking platform.”  Characterizing this shift as a “privacy-focused vision,” Zuckerberg said that this change in focus meant that Facebook and Instagram would not only function as “the digital equivalent of a town square” but also “the digital equivalent of the living room.”  This shift was billed in part as a response to user demand: according to the post, the “fastest growing areas of online communication” were private messaging, “ephemeral stories,” and small group communication. 

According to the blog post, Facebook’s “privacy-focused platform” will be based on six principles: private interactions, encryption, reducing permanence, safety, interoperability, and secure data storage.  “Interoperability” refers to Facebook’s plan to integrate its messaging services across Facebook Messenger, WhatsApp, and Instagram Direct.  The blog post did not provide much detail on what these principles would mean in practice or what changes users would see from an experiential perspective, but rather qualified its efforts as being in the “early stages.”  

The blog post acknowledged Facebook’s reputation for not building “privacy protective services.”  In 2011, Facebook entered into a consent decree with the Federal Trade Commission (FTC) related to its privacy practices and has continued to face criticism for its privacy and data protection practices.  Indeed, just a few days prior to the announcement, news reports circulated regarding the ability to look up individuals on Facebook based on their telephone numbers, despite Facebook’s statements to users when they provided their telephone numbers that the number would be used for two-factor authentication.  Reports last year led to Facebook’s confirmation that the telephone numbers are also used for advertising. 

Some legislators and regulators have expressed concerns about information sharing between Facebook’s services. Last month, the German antitrust regulator issued a decision restricting Facebook from sharing information between services in the absence of users’ voluntary consent.  Facebook announced that it planned to appeal the decision.

CATEGORIES: Privacy Data Security