The Supreme Court of Illinois recently held that every Illinois citizen has a private right of action to enforce violations of the Illinois Biometric Information Privacy Act (“BIPA”) without alleging or showing actual harm. Businesses collecting, using and storing the biometric data of Illinois consumers take notice: there are over 12 million regulators with the power to enforce this law against you. But don’t worry too much, the state’s high court promises that “Compliance should not be difficult.”
Late last year, the Supreme Court of Pennsylvania ruled that employers have a legal duty to safeguard employee’s sensitive personal information stored on an internet-accessible computer system and that the state’s economic loss doctrine allowed the plaintiffs in Dittman to recover for purely monetary damages.
For many U.S. organizations, figuring out whether – and to what extent – Europe’s General Data Protection Regulation (“GDPR”) applies to your operations has caused a lot of headaches. Do you have an “establishment in the [European] Union”? Are you “offering…goods and services…to…data subjects in the Union”? Are you “monitoring” the behavior of data subjects in the Union? How will these terms be interpreted and enforced?
When an organization faces a security incident, it is thrown into a complicated analysis of forty-seven state breach notification laws. With the laws based on the residence of the affected consumer, consideration must be given to the variances in the definition of a breach that triggers notification; the content, timing, and manner of notification; additional regulatory, credit agency, or media communications; and potential litigation or enforcement. Thus, the states in which an organization provides goods or services and collects personal information can have a significant impact on obligations following a security incident.
On March 2, 2016, the CFPB finalized a Consent Order with Dwolla, an online payment platform, for violations of the CFPA. It is the CFPB’s first enforcement action related to data privacy and security. It is notable because Dwolla appears to have become an enforcement target due solely to its robust claims about security, and not due to any data breach. It also places obligations on Dwolla’s Board to become responsible for data privacy and security in the company.
The past week has seen two key developments in EU-US data privacy relations — the US enacted the Judicial Redress Act into law, and EU and US officials published the proposed EU-US Privacy Shield protocol for transatlantic data transfers. While the Privacy Shield still has a gauntlet of EU bureaucracy to navigate, companies that relied on Safe Harbor should begin to plan now to comply with the robust new requirements of Privacy Shield, or implement other measures to satisfy the EU Privacy Directive to import EU data to the US.
As part of a massive new initiative, Obama establishes the Federal Privacy Council and a national commission on cybersecurity
On October 14, 2015, a St. Louis judge declared the city’s planned minimum wage increase invalid because it conflicts with the state minimum wage, currently set at $7.65 per hour. In August, the City of St. Louis passed an ordinance that would have eventually raised the minimum wage to $11.00 per hour by 2018. The first increase to $8.25 per hour was set to take effect on October 15, 2015.