Last month, judges from the European Court of Justice, the European Union’s top court, issued a judgment striking down a 15-year old agreement, known as the Safe Harbor framework, which allowed American and European businesses to freely move personal data between the two regions. This ruling impacts nearly 4,000 businesses that currently rely on Safe Harbor framework to transfer data between the U.S. and Europe and requires all businesses to revaluate their compliance with Europeans standards.
Category: Privacy and Data Security
Defend Trade Secrets Act of 2015 Would Create a Federal Private Right of Action for the Misappropriation of Trade Secrets
On July 29, 2015, with bipartisan support, Congressional leaders in both the House and the Senate introduced identical bills, HR 3326 and S. 1890, respectively, entitled, the “Defend Trade Secrets Act of 2015” (“DTSA 2015”). The proposed legislation attempts to authorize a private civil action in federal court for the misappropriation of a trade secret that is related to a product or service used in, or intended for use in, interstate or foreign commerce. Additionally, the proposed legislations seeks to (a) create a uniform standard for trade secret misappropriation; (b) provide parties pathways to injunctive relief and compensatory damages; and (c) create remedies for trade secret misappropriation that are similar to other violations of intellectual property rights, for example, including exemplary damages and attorneys’ fees available in the event of willful and malicious misappropriation of a trade secret. An interesting feature of the DTSA 2015 is the availability of an ex parte seizure order for plaintiffs fearful of the dissemination of their trade secret(s). The proposed ex parte seizure allows for the government to seize property necessary to prevent the propagation or dissemination of the trade secret prior to giving notice of the lawsuit to the defendant.
While the winter holidays are a time for spending and good cheer, the 2013 holiday season was one that continues to be costly for Target. On December 19, 2013, Target publicly announced that computer hackers had stolen data, including credit card payment information, from millions of Target shoppers. In January 2014, Gibbons P.C., in light of the Target data breach, discussed the ramifications of delay in notifying consumers, whether the delay was intentional or as a result of compliance with law enforcement requests. Banks and credit unions, which had issued credit cards affected by the breach, were forced to reimburse Target customers in some cases and reissue millions of cards, brought a class action lawsuit against Target.
Class Action Certified in In re Yahoo Mail Litigation for Violations of Stored Communication Act and California’s Invasion of Privacy Act
On May 28, 2015, U.S. District Judge Lucy Koh in the Northern District of California certified a class of email users in a privacy action that claims Yahoo Inc. (“Yahoo”) violated the federal Stored Communications Act (“SCA”) and California’s Invasion of Privacy Act (“CIPA”) through its practice of scanning and analyzing emails of non-Yahoo Mail subscribers in order to display targeted ads to Yahoo Mail subscribers. In re Yahoo Mail Litigation, No. 13-CV-04980-LHK, (N.D. Cal. 2015). Plaintiffs are non-Yahoo Mail subscribers who sent emails to Yahoo Mail subscribers from non-Yahoo email accounts and allege that Yahoo routinely copies and extracts key words from emails and stores this information for later use. Plaintiffs allege that Yahoo’s practices violate § 2702(a)(1) of the SCA, which prohibits, among other items, divulging the contents of a communication without consent and § 631 of CIPA, which prohibits the recording or reading of any type of communication without the prior consent of all parties.
Effective October 1, 2015, employers in the State of Connecticut are restricted from requiring or requesting employees and job applicants to provide access to “personal online accounts,” which include email, social media and retail-based Internet web sites used exclusively for personal reasons. Specifically, the new law (Public Act No. 15-6) (“the Act”), prohibits employers from requesting or requiring employees or job applicants to: provide the username and password, password, or other means of authentication to access an individual’s personal online account; authenticate or access a personal online account for the employer to view; or invite an employer to accept an invitation or be compelled to accept an invitation from an employer to join a group related to a personal online account.
On May 6, 2015, New York City Mayor, Bill De Blasio, signed legislation proposed by the City of New York likely to limit an employer’s ability to use credit checks when making hiring and retention decisions. The law goes into effect 120 days from May 6, 2015, or on September 3, 2015. We analyzed the new law in detail in a recent blog.
The City of New York likely will tighten the reins on an employer’s ability to use credit checks when making hiring and retention decisions. The City Council approved a bill that would amend the New York City Human Rights Law, § 8-102 et seq. (“NYCHRL”) to prohibit an employer, labor organization, employment agency, or their agents from using an applicant’s or employee’s “consumer credit history” for employment purposes or to otherwise discriminate against an applicant or employee based on consumer credit history. If the legislation is signed by the Mayor – on whose desk the proposed bill now sits – it will go into effect within 120 days after the Mayor signs.
In Peters v. St. Joseph Servs. Corp., the United States District Court for the Southern District of Texas recently dismissed a class action complaint seeking damages arising out of a data incursion. The Court dismissed the complaint under Federal Rule of Civil Procedure 12(b)(1) for lack of standing without leave to amend, while granting the plaintiff 30 days to raise her state and common law claims in state court.
On December 15, 2014, the New Jersey Assembly voted 75-to-0 to advance a bill that would expand the existing data breach notification requirements for companies doing business in the state. The bill, A3146, would broaden the type of information that, if compromised, would trigger a company’s obligation to notify customers of the breach. The proposal now heads to the Senate, where a similar bill, S2188, has been pending in the Commerce Committee since June.
On September 17, 2014, the Second Circuit issued its long awaited decision in Gucci America, Inc. et. al. v. Li et. al., 2014 WL 4629049 (Appeal Nos. 11-3934 & 12-4557). In its decision, the Court vacated and remanded an August 2011 order compelling nonparty Bank of China (BOC) to comply with a document subpoena and asset freeze provision in an injunction and a May 2012 order denying the bank’s motion to reconsider. The court also reversed a November 2012 decision holding the bank in contempt for non-compliance with the court’s August 2011 order and imposing civil penalties.