Data privacy litigation and enforcement actions continue to roil the private sector, most recently with the FTC’s announcement of a $425 million settlement with Equifax in the wake of the Equifax data breach. Less discussed is the fact that data privacy and security remains a real threat in the public sector. As we recently reported, the 2019 Verizon Data Breach Investigations Report found that 16% of confirmed data breaches were in the public sector. Three recent developments highlight the breadth and scope of the threat, reflecting that federal agencies and government contractors remain vulnerable to cyberattacks and may be subject to liability for cybersecurity failures.
Author: Discerning Data Editorial Board
An Update on Federal Policy Regarding Chief Data Officers and Data Governance: New OMB Memo
The Office of Management and Budget (OMB) has issued a recent memorandum that moves the federal government forward in embracing the importance of the “governance” of data.
Second Circuit Holds That Blocking Users’ Access To Presidential Twitter Account Violates First Amendment
On July 9, 2019, the U.S. Court of Appeals for the Second Circuit held that the First Amendment prohibits the government from blocking social media users from accessing the Twitter account @realDonaldTrump. See Knight First Amendment Institute at Columbia University v. Trump, — F.3d –, 2019 WL 2932440 (2d Cir. July 9, 2019).
The Court noted that President Trump “concedes that he blocked the Individual Plaintiffs because they posted tweets that criticized him or his policies,” and “that such criticism is protected speech.” However, the government contended that when the President took that action “he was exercising control over a private, personal account,” the character of which had not changed since it had been opened as a social media platform in 2009 to share opinions on popular culture, world affairs, and politics. The government further argued that the Twitter account is not a public forum or, in the alternative, if the Court were to find that the account was a public forum, that blocking the individual plaintiffs “did not prevent them from accessing the forum.”
California’s BOT Disclosure Law, SB 1001, Now In Effect
The B.O.T. (“Bolstering Online Transparency”) Act, enacted last year pursuant to SB 1001, has gone into effect in California. As of July 1, it is unlawful for a person or entity to use a bot to communicate or interact online with a person in California in order to incentivize a sale or transaction of goods or services or to influence a vote in an election without disclosing that the communication is via a bot. The law defines a “bot” as “an automated online account where all or substantially all of the actions or posts of that account are not the result of a person.” The required disclosure must be clear, conspicuous, and reasonably designed to inform persons with whom the bot communicates or interacts that it is a bot.
The law is the first of its kind enacted by a state legislature and applies only to communications with persons in California. In addition, it applies only to public-facing Internet Web sites, applications, or social networks that have at least 10 million monthly U.S. visitors or users. While the law contains no private right of action and expressly “does not impose a duty on service providers of online platforms,” failure to abide by the disclosure requirement, as enforced by the Attorney General, may constitute a violation of California’s unfair competition laws and result in fines and equitable remedies.
FTC Litigation with D-Link Ends with Comprehensive Settlement
In 2017, the FTC filed a complaint against D-Link Systems, Inc. (D-Link) alleging that the Taiwan-based computer networking equipment manufacturer had taken inadequate security measures which left its wireless routers and Internet-connected cameras vulnerable to hackers. In early July, D-Link agreed to a settlement that includes a requirement that it implement a comprehensive software security program, and obtain biennial, independent third-party assessments of its software security program for 10 years.
Continue reading “FTC Litigation with D-Link Ends with Comprehensive Settlement”
Texas Amends State Breach Notification Law and Creates Advisor Council to Study Privacy Laws
Businesses in Texas that own or license computerized data will expect a shortened data breach notification deadline for any breach of sensitive personal information after January 1, 2020. Meanwhile, reporting to state attorney general (“AG”) will become mandatory if more than 250 Texans are involved in a single data breach.