President Trump’s first tweet in office was sent within an hour of his inauguration on January 20, 2017, and it has been followed by hundreds of tweets from both @POTUS and @realDonaldTrump. Are his tweets considered presidential records to be preserved permanently by the National Archives and Records Administration at a future Trump presidential library? What is the record status of his deleted tweets? And what is the record status of other state-of-the-art communications like Confide and Signal, which are designed to self-destruct like the message on the tape in “Mission: Impossible”?
Year: 2017
“Do What You Say and Say What You Do” — The FTC’s Settlement with Uber
- Settlement reaffirms the importance for companies to deliver on to the privacy and security promises made to consumers
- Settlement is yet another reminder of one of the most important components of good data security – controlling access to sensitive information.
The Federal Trade Commission (“FTC”) announced, subject final approval after a 30-day comment period, a consent order with Uber Technologies (“Uber”) settling allegations that Uber misrepresented the extent to which it monitored its employees’ access to personal information about users and drivers and that it took reasonable steps to secure such information. The consent agreement does not contain monetary penalties, but does prohibit Uber from misrepresenting its privacy and security practices and requires that Uber establish a comprehensive privacy program that includes an independent third-party audit every two years for the next 20 years. The FTC’s complaint highlights practices that the FTC finds fail to provide reasonable security when utilizing the services of a third-party could storage service, Amazon Web Services (“AWS”).
Continue reading ““Do What You Say and Say What You Do” — The FTC’s Settlement with Uber”
Fact Sheet: NYDFS Cyber Regulations
The New York Department of Financial Services’ Cyber Requirements for Financial Services Companies, 23 NYCRR 500 (“Cyber Regulations”) went into effect on March 1, 2017. The Cyber Regulations are intended to require financial companies to assess their internal cybersecurity risks and develop a cybersecurity program to protect customer information and their IT systems, as well as respond, recover, and report cyber threats. The Cyber Regulations establish a comprehensive set of proactive cybersecurity standards for companies to follow, involving everything from appointing a designated Chief Information Security Officer (CISO) to submitting an annual compliance notice, and conducting penetration testing and vulnerability assessments.
Here is an overview of some key terms, requirements and deadlines under these new regulations.
New FDA Guidance on Waiver of Informed Consent for Minimal Risk Investigations
The FDA recently issued new guidance that allows institutional review boards (IRBs) to waive or alter the FDA’s informed consent requirements for certain minimal risk clinical investigations without objection from the FDA.
The statutory basis for the guidance comes from amendments made by the 21st Century Cures Act from late in 2016 (P.L 144-255). This guidance, which took effect on July 25, 2017, is the first step for the FDA on this issue. The FDA intends to implement subsequent regulations to permit IRB waiver or alterations of informed consent requirements for minimal risk clinical investigations.
Continue reading “New FDA Guidance on Waiver of Informed Consent for Minimal Risk Investigations”
Beyond FERPA: Safeguarding Student Data Is Key Obligation for Postsecondary Educational Institutions
Most institutions of higher education are very familiar with the Family Educational Rights Protection Act (FERPA), which applies to all state and local, public and private educational institutions that receive federal funds through programs administered by the U.S. Department of Education (ED). Unless at least one of FERPA’s exceptions applies, institutions risk sanctions from ED – including the potential loss of all federal funding – if they disclose a student’s personally identifiable information (PII) from an education record without the student’s express prior written consent. Beyond FERPA, higher education institutions have additional legal responsibilities to assiduously secure and protect student data from inadvertent disclosure, particularly financial information maintained by an institution regarding students or their families.
FTC Updates COPPA Guidance to Approve New Parental Consent Methods; Clarify Obligations for Sites not Primarily Targeting Children
The Federal Trade Commission (FTC) has updated its guidance applicable to the Children’s Online Privacy Protection Act (COPPA) to reflect developments in the digital advertising ecosystem and a burgeoning Internet of Things marketplace. The Guidance revises its six-step compliance plan to keep current with developing technology.
The Guidance, which had existed in substantially the same form since 2015, contains three new updates relating to new methods for obtaining parental consent, new products covered by COPPA, and new business models.