In 2016, the U.S. Supreme Court in Spokeo, Inc. v. Robins, provided a potentially powerful Article III standing defense under F.R.Civ.P. 12(b)(1) seemingly applicable to a variety of privacy claims, including FCRA, FACTA, TCPA, and FDCPA statutory damage claims. The Court noted for a plaintiff to establish standing to sue in federal court, she must establish an “injury in fact” consisting of an invasion of a legally protected interest, which is both particularized and concrete.

Spokeo dealt with the “concrete” portion. To be concrete, an injury must be real but may also be intangible. Congress’ intent in creating a right is instructive, but not sufficient. Allegations of a bare procedural violation likely would not suffice to maintain standing. Some injuries create harm, others do not. Thanks for that.

Continue Reading More or Less Than the Plaintiff Bargained For: Two Recent Appellate Courts Thwart Privacy Claims Based On The Contract

Europe’s data protection rules will undergo their biggest change in two decades when the new General Data Protection Regulation (“GDPR”) goes into effect on May 25, 2018. The GDPR replaces the current Data Protection Directive and imposes uniform data security requirements on all EU members. While the GDPR is “an evolution, not a revolution” for data protection, there are several significant changes for which companies should be prepared.

Continue Reading Ready or Not, It’s Coming: Preparing for the GDPR

There was a recent headline-making story involving a Wisconsin employer that announced it was offering its employees the option to be microchipped to replace security badges they use regularly at work. Of the 85 employees, 41 decided to have the small chip implanted in their hand. Husch Blackwell attorneys Laura Ferrari and Erik Eisenmann break-down the seemingly futuristic concept of “chipped” employees and the privacy concerns it brings in a post that originated on Husch Blackwell’s Technology, Manufacturing and Transportation Industry Insider blog.

The Occupational Safety and Health Administration (OSHA), an organization created by Congress to assure safe and healthful working conditions for working men and woman, declared on Friday, August 25, 2017 that what was believed to be a data breach by the Department of Homeland Security, was incorrect. The false alarm breach was related to data included in Injury Tracking Applications (ITA), which organizations must submit electronically to report injury or illness. Husch Blackwell attorneys, Erik Dullea and Matt Diehr, provide insight into this issue and background on the whether the data in an ITA is properly protected.

The advice we always give to clients regarding privacy policies is: “say what you do and do what you say.” It seems simple, but simplicity can be deceiving. Companies want to reassure consumers that their personal data is safe and secure; however, in today’s world, no one can make fail-safe representations of security. Uber’s recent settlement with the FTC illustrates this problem.

Continue Reading Don’t Make “Uber” Promises You Can’t Keep

These days a data security plan should be treated as a top priority for all businesses. In the United States, the law dictates that businesses must secure any non-public third-party data it possesses which makes data security no longer a choice, but rather a legal obligation. Andrew Schlidt, a member of Husch Blackwell’s Data Privacy, Security & Breach Response team, give tips on how to comply with data security laws by implementing a “Written Information Security Plan” or “WISP.” The resourceful information is outlined in the “Legal Login” piece by IB Madison.

Yesterday’s post by Sean Tassi on Husch Blackwell’s Higher Education Legal Insights provides colleges and universities with low-tech strategies to guard their data against criminal activity. The information in his post serves as a good reminder to remove unnecessary personal information (“PI”) on forms and documents.

If you have further questions, members of our Data Privacy, Security & Breach Response team can address them.

With the rise of innovations like cloud technology and software-as-a-service, clients are increasingly finding that it makes business sense to outsource computerized services, from payroll processing to the storage of electronic medical records. While doing so often cuts costs, routing (frequently confidential) data through third-party service providers also implicates serious cybersecurity concerns and, in some cases, may increase potential liability. Further, one of the pillars of a commercially reasonable information security program is selecting and retaining service providers capable of maintaining appropriate safeguards. To address these concerns, and to keep data safe, clients should require service providers to furnish them with Service Organization Control (“SOC”) Reports, particularly SOC 2 Reports.

SOC Reports were developed by the American Institute of CPAs (AICPA) to provide information about the robustness and quality of a service provider’s internal controls over certain types of data. There are three types of SOC Reports, each serving separate functions.

Continue Reading SOC It To ‘Em: Securing Your Outsourced Data with SOC 2 Reports

Data security breaches are impacting long-standing and start-up corporations, as well as public and private entities. No one is immune from these threats and understanding the prevalence is the first step in best preventing this from impacting your organization. Aleks Ostojic Rushing provides the background on phishing expeditions, ways to identify phishing attacks and what you can do to protect yourself in a post on Husch Blackwell’s Technology, Manufacturing and Transportation Industry blog.

If you have further questions, members of our Data Privacy, Security & Breach Response team can address them.