Data Privacy & Cyber Security Law
How companies collect, use, and share personal data, how secure their data systems are, and how transparent they are about their data privacy and security practices, are popular public and legal issues. With several high-profile data breaches and data mining scandals, online privacy is a hot topic among legislatures, government regulators, consumer advocacy groups, and industry leaders. Privacy concerns also generate the attention of consumers. Indeed, consumers more regularly read websites’ and apps’ terms and conditions and privacy policies, which they used to largely ignore.
Companies need to be vigilant about their data privacy and security policies and practices. Government agencies and private groups are policing those practices to monitor whether companies are complying with their own policies and promises and maintaining industry standards on data security. Corporate and consumer customers expect organizations to maintain significant data security practices. Increasing enforcement actions and private lawsuits (including large class actions) have compelled companies to better vet their data collection and usage practices, engage experienced legal counsel and outside privacy vendors, and ensure their practices match their public-facing policies.
Ifrah Law has extensive experience in data privacy and cyber security law and is recognized as an industry leader. Practice Group Leader, Michelle Cohen, was recently appointed by OneTrust, a leading privacy, security and third-party risk technology platform, as a D.C. Chapter Chair of “Privacy Connect,” a global community of privacy, security and marketing professionals focused on tools and best practices. Michelle has also been recognized by the National Law Journal as a “Top Rated Lawyer” multiple times. She is featured as technology law policy expert on “Sourcelist,” through the Brookings Institution (https://womenplus.sourcelist.org/experts/michelle-cohen.html). Since 2008, Michelle has been certified as a Certified Information Privacy Professional – CIPP (US), through the International Association of Privacy Professionals (IAPP). Associate Nicole Kardell currently co-chairs IAPPs Washington D.C. KnowledgeNet chapter, which regularly hosts meetings and seminars regarding cutting-edge privacy topics in the D.C. area for privacy professionals Nicole has been certified as a CIPP (EU) privacy professional for several years Nicole and Michelle author the OneTrust DataGuidance privacy law overview for the District of Columbia.
Our Data Privacy and Cybersecurity Team regularly advises organizations on developing industry-appropriate protocols, drafting privacy policies, and preparing for, and responding to data breaches. Our attorneys counsel businesses and individuals on information storage and rights of retrieval and deletion. Our clients span many industries, including fintech companies, healthcare companies, non-profit organizations, and social media influencers. In our Chambers-ranked Gaming practice, our clients are often required to collect substantial personal information to verify age, geolocation, and in furtherance of AML requirements. We help these businesses ensure that their practices comply with the evolving privacy and data security requirements, including substantial new state requirements.
What Are the Costs of Breaches in Data Privacy?
There are many ways in which a company’s private data can be infiltrated by third parties or, more commonly, leaked due to human error. Such a breach can be devastating to a company’s economic prospects, especially if private assets and intellectual property end up falling into the wrong hands. Beyond fines, audits, civil lawsuits, and potential criminal prosecution, companies that fail to protect personal data invoke the wrath of a public body that has grown increasingly frustrated with the misuse of its personal information. Breaches significantly erode consumer confidence, resulting in lost sales. Of course, defending a class action is not an inexpensive endeavor. Data breaches are costly. According to an annual report published by IBM Security, the average cost of a data breach is almost $4 million ($3.86 million for 2020, $3.92 million for 2019).
What Kinds of Regulations Govern Privacy and Cybersecurity in the United States?
Currently, there is no legislation at the federal level in the United States that universally addresses data privacy. There are certain industry-specific federal laws such as HIPPA (health privacy), Gramm-Leach-Bliley (financial privacy), and COPPA (children’s online privacy). However, there are several state-level legal and regulatory frameworks, and others that may become effective soon.
One of the most significant recent developments in state-level privacy law is California’s Consumer Privacy Act (CCPA), which was passed by the state legislature in 2019 and took effect on January 1, 2020.
Broadly speaking, the CCPA requires businesses that work extensively with personal data or bring in more than $25 million per year in revenue to inform customers of what personal data they are collecting, grant those customers the right to have their data deleted and prevent it from being sold, and refrain from penalizing customers who utilize their rights under the CCPA.
Other states are considering similar pieces of legislation, and the CCPA itself may be subject to additional expansion depending on the outcome of certain ballot initiatives. In the meantime, businesses are likely to be subject to continued class action litigation from California residents if they inadvertently leak customer data (as the law provides for a private right of action).
Data Protection for Children
One of the few pieces of federal legislation addressing data privacy is the Children’s Online Privacy and Protection Act (COPPA), which puts significant restrictions on what website operators and app developers can do with regard to the personal data of children under 13.
Specifically, Internet companies handling children’s data must have especially robust privacy policies and take extra care to ensure children’s personal information remains secure. This includes seeking explicit consent from parents before collecting a child’s personal information.
However, because this act has been around since 1998, not all of its components match up perfectly with modern data information collection. The Federal Trade Commission has pursued several high-profile enforcement issues under COPPA, resulting in multi-million-dollar settlements. Engaging specialized legal counsel is especially important for any business that needs to ensure compliance with COPPA, and other data privacy and cybersecurity laws related to children. Our attorneys have worked with several clients seeking COPPA guidance, including top social media influencers.
Ifrah Law’s GDPR Services
The General Data Protection Regulation (GDPR) became effective on May 25, 2018, and dramatically changed the way companies collect, store, or mine the personal data of European residents. Failure to comply risks lawsuits and significant fines for businesses.
Ifrah Law helps clients navigate the requirements for how companies handle personal data of European residents. Our attorneys offer a reasonably priced fixed fee program to review an organization’s current business practices and update contracts, policies, and protocols to help organizations remain GDPR compliant. We also help clients navigate the evolving legal requirements for data transfers between European and non-European countries.
How Can Ifrah Law Help Strengthen Your Data Privacy and Cybersecurity Strategy?
Even the most thorough privacy and cybersecurity strategy cannot account for every possible external factor and internal mistake, which is why seeking guidance from legal professionals with extensive experience in privacy and cybersecurity law is essential. Even if your business has not experienced a data breach, an experienced data privacy and cybersecurity lawyer can help your organization construct a comprehensive plan to minimize your risk of future leaks or fine-tune an existing plan to cover potential gaps.
In the aftermath of a data breach, our attorneys can help your company respond quickly to address legal ramifications, minimize damage to financial prospects, and address important public relations concerns.
Does GDPR Apply To You?
OneTrust DataGuidanceRead more
International Masters of Gaming Law (IMGL) 2019 Spring ConferenceRead more
Zero Day Con at the Carnegie Institution For Science - Washington, DCRead more
Digital Business LawyerRead more
Digital Business Lawyer (Vol. 20; Issue 5 - May 2018)Read more
Global Issues Forum: How to Survive the Era of the Digital Border Search – Practical Issues Surrounding Law Enforcement Access to Phones, Laptops and Tablets
ACC National Capitol Region, McLean, VARead more
Money For Lunch Radio ProgramRead more
Cyber Security PractitionerRead more
Speaker to Japanese Delegation - Washington, DCRead more
Corporate Compliance InsightsRead more
American Bar AssociationRead more
E-Commerce Law & PolicyRead more
E-Commerce Law and PolicyRead more
E-Commerce Law & PolicyRead more
Takedown Notice Success for an International VIP
When a blogger posted information from a hacked computer about an important Middle Eastern leader, Ifrah Law was asked to help. The site contained threats to the national security of the politician’s country as well as the United States – and to the life of the politician. The matter needed immediate attention and we responded to get the site (and others where the statements had been posted) taken down.
But the law offers some remedies of its own. One is the Digital Millennium Copyright Act (DMCA), which is U.S. copyright law as well as part of two World Intellectual Property Organization (WIPO) treaties. The DMCA assigns no liability to an Internet service Provider (ISP) for transmitting information that may infringe a copyright, but it forces the ISP to remove materials from users’ websites that appear to be copyright infringement. The DMCA provides for a takedown notice to be sent to an infringer’s ISP.
Ifrah Law successfully utilized takedown notices with two of the blogger’s ISPs as well as Facebook and is pursuing other sites. We impressed upon the web hosting companies that the content posed an immediate threat to national security. We also emphasized to one company that the blogger had violated their terms and conditions.
Privacy issues on the Internet may be rampant, but they do not have to be a fact of life.
Ensuring TCPA Compliance for a Global Provider of Customer Management Services
On behalf of our client, a leading provider of customer management services with call centers around the world, Ifrah Law led a full-scale review of its customer communications to ensure that they comply with federal and state requirements, including those of the TCPA and the FTC’s Telemarketing Sales Rule (TSR). We addressed the many different types of calls that the company undertakes on behalf of its varied customer base – service calls, appointments, live sales calling and pre-recorded calls – to ensure that its call centers are using consistent protocols and controls in the United States, and that these protocols are in compliance with the TCPA and TSR. Our client trusted Ifrah Law with this extensive project due to our long history with managing TCPA matters – we have been involved with the TCPA since its inception in 1991 – and due to our prior work for the client, including successfully representing the client in two FCC inquiries.
We worked with the company’s Director of Privacy to develop a thorough understanding of the types of calls that the company makes for its customers, and the contractual protections that are in place and which could be revised to protect the company further. A critical aspect of this project was to educate leaders within the company that there are different TCPA requirements based on the type of call: technology used, person being called, whether the call is pre-recorded or live; mobile or business. We also wrote the call center guidelines and controls to ensure that all employees – from those being trained to the marketing team – had the same information regarding how to handle different types of customer call projects.
This large-scale process took a year to complete. Once the documentation was finalized, our client was ready to begin a company-wide training program on the guidelines, well in advance of TCPA rule changes.
It’s been a busy summer for the FTC and the federal agency is dominating the headlines. There is the $5 billion settlement with Facebook for failing to better protect user privacy, which was announced earlier this month. Then there is the multimillion dollar settlement with Google for failing to adequately protect children’s privacy. That was… Read More
No More Bait and Switch: Subscription-Based Businesses Need to Refine Their Pitch Under California Law
Effective July 1, companies that offer free gift or trial periods for their products or services can no longer bill California consumers automatically at the expiration of the gift or trial period. Companies will be required to provide a “clear and conspicuous” explanation of the price that will be charged—or how the pricing will change—at… Read More
Make room Europe: California is taking on the data privacy challenge. For the last year or so, the privacy world has been abuzz with how to implement the E.U.’s General Data Protection Regulation. The buzz died down once GDPR went into effect in late May. But no rest for the weary. A little over a… Read More
Eleventh Circuit Assumes FTC’s Data Security Enforcement Authority, But Mandates Specificity for FTC Orders
On June 6, 2018, the United States Court of Appeals for the Eleventh Circuit issued a landmark ruling in LabMD v. Federal Trade Commission. While the Eleventh Circuit impliedly held that the Federal Trade Commission (“FTC”) has authority to take enforcement action against companies whose unfair practices lead to data security incidents that pose… Read More
A public service announcement of yesteryear posed the following question to parents: “It’s 8:00. Do you know where your children are?” Today’s technology allows parents to answer that question regardless of the time of day. That technology, however, has recently drawn scrutiny for violating the parental notice and consent provisions of the Federal Trade Commission’s… Read More
The FTC is reported to be joining state and international regulators in examining Cambridge Analytica’s actions with data accessed from Facebook, including how the data analytics company obtained the information, what it did with the information, and whether Facebook complied with existing obligations, including a 2012 FTC consent decree. The situation underscores the importance of… Read More
As previewed in our previous post, the United States Securities and Exchange Commission (“SEC”) unanimously approved new cybersecurity interpretive guidance—a format used to clarify the SEC’s views on security laws and regulations—on Wednesday of last week. The guidelines make no mention of how they affect and interplay with other regulators’ data privacy requirements, so whether… Read More
Beginning on May 25, 2018, companies which process the personal data of European Union residents will be expected to comply with the General Data Protection Regulation, or GDPR. Even companies located in the United States are subject to this regulation, and violating its terms may result in class actions and hefty fines. If your company… Read More
GDPR D-Day: May 25, 2018. If you are not prepared, the results could cost you Europe. In the U.S., we’ve had a pretty business-friendly approach to consumer data protection. And while federal and state authorities have their respective consumer protection laws, there is no single federal law that clearly defines U.S. policy on how consumer… Read More
GDPR. If you see those letters and think it is an acronym for Gosh Darned Pain in the Rear (or an edgier equivalent) you are in large-part correct. But if you don’t know any more than that, and you are a company with any ties to Europe, then you need to read further. GDPR, the… Read More
Acting Chairman of the Federal Trade Commission, Maureen Ohlhausen, answered questions about the FTC’s current role in data privacy before a crowded audience at the April 2017 IAPP Global Privacy Summit in D.C. Below are some take-aways we wanted to share from Commissioner Ohlhausen’s talk: Even if out of ISP oversight, the FTC is actively… Read More
Your business booked a large charity event. However, the customer contact turns out to be a nightmare. She complains (during and after the event) that the service was slow, the food looked and tasted like a frozen meal, and the drinks were watered down. She even claims she was overcharged. You reviewed the situation and,… Read More
Tom Kellermann, CEO of Strategic Cyber Ventures guest co-authored this post. A famous Homeland episode involved a terrorist gaining access to the Vice-President’s pacemaker. Accessing medical devices to wreak havoc was one of the motivations behind certain provisions of the Digital Millennium Copyright Act (aka the DMCA). The DMCA makes it “illegal to circumvent technological… Read More
The Federal Trade Commission (“FTC”) recently released a data breach guide for businesses, along with a video and blog to help companies following the immediate aftermath of a data breach. The FTC also provides a model data breach letter to notify individuals of a breach. The agency – which views itself as the nation’s primary… Read More
In March 2015, I wrote about the ongoing dispute between the FTC and LabMD, an Atlanta-based cancer screening laboratory, and looked at whether the FTC has the authority to take enforcement action over data-security practices alleged to be insufficient and therefore “unfair” under section 5(n) of the Federal Trade Commission Act (“FTCA”). On November 13,… Read More
In the past few years, many organizations such as Capital One, Bass Pro Outdoor, and the Cosmopolitan Hotel have faced class actions alleging violations of California’s call recording law. This week, California’s Attorney General demonstrated that her office, working with state prosecutors, will also vigorously enforce the law under the state’s criminal statutes. Attorney General… Read More
Despite not being explicitly mentioned in the Constitution, the Supreme Court has firmly held that a right to privacy for all Americans is found in several amendments to the Constitution, with almost 100 years of case law providing precedent for many personal privacy rights that have become a cornerstone of American culture. However, in this… Read More
Exploiting consumers and exploiting consumer data were popular themes in the FTC’s October 30th workshop on lead generation, “Follow the Lead.” The day-long workshop explored the mechanics of lead generation and its role in the online marketplace. With a focus on the lending and education spaces, panelists discussed the many layers of marketing involved… Read More
TCPA Trouble Continues: FCC Slams Lyft and First National Bank for Terms of Service Requiring Consent
Most of the attention involving the Telephone Consumer Protection Act (“TCPA”) has centered on the stream of class actions around the country. It is important to remember that the Federal Communications Commission (“FCC”) and state attorney generals can, and do, enforce the TCPA. In fact, the FCC recently issued citations to Lyft, the ride-sharing… Read More
Every week, we learn about new data breaches affecting consumers across the country. Federal government workers and retirees recently received the unsettling news that a breach compromised their personal information, including social security numbers, job history, pay, race, and benefits. Amid a host of other public relations issues, the Trump organization recently discovered a potential… Read More
In e-commerce, user reviews can make or break a business. Review sites such as Yelp are a double edged sword for merchants and service providers: on one hand satisfied customers can generate buzz about the company and bring in new customers, and on the other hand dissatisfied customers can use it as a very… Read More
FTC seems more confident than ever in its authority to go after companies with insufficient data security measures. As of January 2015, FTC had settled 53 data-security enforcement actions, and FTC Senior Attorney Lesley Fair expects that number to increase. Not everyone is sanguine about FTC’s enforcement efforts. Companies targeted for administrative action complain… Read More
The law of unintended consequences – a distant cousin of Murphy’s Law – states that the actions of human beings will always have effects that are unanticipated and unintended. The law could prove a perfect fit for recent efforts by class action counsel to rely upon the Federal Wiretap Act in lawsuits arising from… Read More
Employers Running Background Checks: Top 10 Tips to Avoid Joining the Fair Credit Reporting Act Litigation “Club”
What do Whole Foods, Chuck E. Cheese, Michael’s Stores, Dollar General, Panera, Publix, and K-Mart have in common? Each of these companies has faced lawsuits (including class actions) under the Fair Credit Reporting Act (“FCRA”). Although Congress passed the FCRA way back in 1970 and litigation has focused on credit reporting agencies’ duties under… Read More
It’s International Data Privacy Day! Every year on January 28, the United States, Canada and 27 countries of the European Union celebrate Data Privacy Day. This day is designed to raise awareness of and generate discussion about data privacy rights and practices. Indeed, each day new reports surface about serious data breaches, data practice concerns,… Read More
Health cleanses to lose unwanted weight in a matter of weeks! Images of beautiful jewelry to be purchased at great prices that you can even resell! Personalized handbags made to order! If you have a Facebook account, it is more than likely you have seen many of these and similar posts by “friends” in… Read More
Ifrah Law is a proud member the Brand Activation Association (“BAA”). This week, we attended the BAA’s 36th annual BAA Marketing Law Conference in Chicago. Just as “Mad Men” reflects the 1960’s era advertising business, this year’s BAA conference demonstrated this generation’s marketing dynamic – where mobile is key, privacy concerns abound, and the Federal… Read More
In August, the Federal Trade Commission (“FTC”) released a staff report concerning mobile shopping applications (“apps”). FTC staff reviewed some of the most popular apps consumers utilize to comparison shop, collect and redeem deals and discounts, and pay in-store with their mobile devices. This new report focused on shopping apps offering price comparison, special… Read More
Restaurant chain Applebee’s has joined other businesses such as Overstock.com, Hilton, Capitol One, and Bass Pro Shops as defendants in purported class action lawsuits alleging that they illegally recorded calls to or from California residents. In fact, plaintiffs have filed hundreds of individual and class actions in California courts under California’s various eavesdropping/call recording laws…. Read More
In an important decision in a federal court case in New Jersey, In Re Nickelodeon Privacy Litigation, Google and Viacom obtained a dismissal of a claim against them under the Video Privacy Protection Act (“VPPA”). The decision narrows the scope of who can be liable under the VPPA and what information is within the… Read More
Recently, the Maryland Attorney General’s Office announced that it reached a settlement with Snapchat, Inc. over alleged deceptive trade practices in violation of Maryland law and violations of federal laws that are intended to protect children’s online privacy. This is another reminder that state attorneys general’s offices will continue to be vigilant in addressing consumer… Read More
Last week the Federal Trade Commission (“FTC”) charged the operators of Jerk.com with harvesting personal information from Facebook to create profiles for more than an estimated 73 million people, where they could be labeled a “Jerk” or “not a Jerk.” In the complaint, the FTC charged the defendants, Jerk, LLC and the operator of the… Read More
After recovering from high-profile data breaches at Target and Neiman Marcus, signing up for free credit monitoring and analyzing our credit reports, a new Internet villain recently emerged: the “Heartbleed Bug.” The Heartbleed Bug is a security flaw present on Open SSL, popular software run on most webservers. This open source software is widely used… Read More