Discerning Data Editorial Board, Author at Discerning Data

Delaware Amends Data Breach Notification Law

Delaware recently amended its data breach notification laws through House Bill 180, which now expands the definition of breach and personal information. It is now among 14 states to impose explicit data security obligations on businesses. While revisions to the law are in some ways more stringent, they are also more balanced by including a risk of harm requirement.

Under the amended law, which will go into effect on April 14, 2018, the definition of breach has been expanded to include not only unauthorized acquisition, but also disclosure of electronic or paper files, media, databases or other data. The law also broadens the scope of personal information to include user name or email address, in combination with a password or security question, and answer medical information, and unique biometric data.

Continue reading “Delaware Amends Data Breach Notification Law”

Recordkeeping Corner: All About Those Presidential Tweets & Self-Destructing Messages

President Trump’s first tweet in office was sent within an hour of his inauguration on January 20, 2017, and it has been followed by hundreds of tweets from both @POTUS and @realDonaldTrump. Are his tweets considered presidential records to be preserved permanently by the National Archives and Records Administration at a future Trump presidential library? What is the record status of his deleted tweets? And what is the record status of other state-of-the-art communications like Confide and Signal, which are designed to self-destruct like the message on the tape in “Mission: Impossible”?

Continue reading “Recordkeeping Corner: All About Those Presidential Tweets & Self-Destructing Messages”

“Do What You Say and Say What You Do” — The FTC’s Settlement with Uber

Settlement reaffirms the importance for companies to deliver on to the privacy and security promises made to consumers
Settlement is yet another reminder of one of the most important components of good data security – controlling access to sensitive information.

The Federal Trade Commission (“FTC”) announced, subject final approval after a 30-day comment period, a consent order with Uber Technologies (“Uber”) settling allegations that Uber misrepresented the extent to which it monitored its employees’ access to personal information about users and drivers and that it took reasonable steps to secure such information. The consent agreement does not contain monetary penalties, but does prohibit Uber from misrepresenting its privacy and security practices and requires that Uber establish a comprehensive privacy program that includes an independent third-party audit every two years for the next 20 years. The FTC’s complaint highlights practices that the FTC finds fail to provide reasonable security when utilizing the services of a third-party could storage service, Amazon Web Services (“AWS”).

Continue reading ““Do What You Say and Say What You Do” — The FTC’s Settlement with Uber”

New FDA Guidance on Waiver of Informed Consent for Minimal Risk Investigations

The FDA recently issued new guidance that allows institutional review boards (IRBs) to waive or alter the FDA’s informed consent requirements for certain minimal risk clinical investigations without objection from the FDA.

The statutory basis for the guidance comes from amendments made by the 21st Century Cures Act from late in 2016 (P.L 144-255). This guidance, which took effect on July 25, 2017, is the first step for the FDA on this issue. The FDA intends to implement subsequent regulations to permit IRB waiver or alterations of informed consent requirements for minimal risk clinical investigations.

Continue reading “New FDA Guidance on Waiver of Informed Consent for Minimal Risk Investigations”

FTC Updates COPPA Guidance to Approve New Parental Consent Methods; Clarify Obligations for Sites not Primarily Targeting Children

The Federal Trade Commission (FTC) has updated its guidance applicable to the Children’s Online Privacy Protection Act (COPPA) to reflect developments in the digital advertising ecosystem and a burgeoning Internet of Things marketplace. The Guidance revises its six-step compliance plan to keep current with developing technology.

The Guidance, which had existed in substantially the same form since 2015, contains three new updates relating to new methods for obtaining parental consent, new products covered by COPPA, and new business models.

Continue reading “FTC Updates COPPA Guidance to Approve New Parental Consent Methods; Clarify Obligations for Sites not Primarily Targeting Children”

New Jersey Enacts Personal Information and Privacy Protection Act

The New Jersey “Personal Information and Privacy Protection Act” was signed into law on July 21, 2017 by Governor Chris Christie and will be effective November 1, 2017.

The law restricts the way retail establishments may collect and use the personal information contained in the electronic data embedded in identification cards, such as driver’s licenses. The law responds to concerns raised by reports related to how businesses use and store personal information obtained from scanned driver’s licenses.

Continue reading “New Jersey Enacts Personal Information and Privacy Protection Act”

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

Author: Discerning Data Editorial Board