FCC Corrects July 10, 2015 TCPA Order

Written by
This week, the FCC issued the following correction of its July 10, 2015 Order on the Telephone Consumer Protection Act (“TCPA”): In Paragraph 100, the fourth sentence is corrected to read as follows: “It follows that the rule applies per call and that telemarketers should not rely on a consumer’s written consent obtained before the current rule took effect if that consent does not satisfy the current rule.”  The paragraph had previously stated, incorrectly, “if that consent does satisfy the current rule.” The message in the correction is clear: Any caller must have obtained [...] Read more

Swire on the Declining Half-Life of Secrets

Written by
On Friday, Peter Swire released his new paper titled “The Declining Half-Life of Secrets.” In this paper, Swire examines the challenges faced by the national security and signals intelligence communities in maintaining secrets. Swire’s paper explains why intelligence operations will continue to face ‘leaks’ given the pervasiveness and power of modern computing and the internet, the libertarian ethos of many information technology workers, and the changing nature of signals intelligence work. Within this context, Swire recommends that policy should focus on the ‘when’ (and not the [...] Read more

Amended Washington Data Breach Law Requires Attorney General Notification, Imposes 45-Day Notice Time Limit

Written by
Earlier this year, Washington passed an amended version of its data breach notification law, which goes into effect Friday July 24, 2015.  Washington’s updated breach notification statute will now, among other things, require compromised entities to notify the state Attorney General (AG) in some circumstances, and require notification to both consumers and, as applicable, the state AG within 45 days of discovering a breach.  Washington’s amended statute adds to the chorus of states that have updated their breach notification laws in 2015, including Connecticut, Montana, Nevada, North Dakota, [...] Read more

PCI Security Standards Council Issues New Supplementary Compliance Requirements for the Data Security Standard

Written by
The Payment Card Industry (“PCI”) Security Standards Council (“SSC”) recently published a supplement to the PCI Data Security Standard (“DSS”) that will require certain Designated Entities to comply with an additional set of compliance-based requirements.  The additional requirements, called the “Designated Entities Supplemental Validation,” or DESV, are designed to “help organizations make payment security part of everyday business practice” and are “intended to provide greater assurance that PCI DSS controls are maintained effectively and on a continuous basis through validation [...] Read more

Canadian Parliament Amends PIPEDA with the Digital Privacy Act

Written by
On June 18, 2015, the Canadian Parliament passed into law the Digital Privacy Act (the “Act”), which amends Canada’s federal data protection statute, the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to businesses in every Canadian province except British Columbia, Alberta and Quebec; however, businesses in those provinces may become subject to PIPEDA if they operate in federally-regulated sectors or if personal information that originated in their province crosses provincial borders.  Although many of the Act’s provisions will come into force on [...] Read more

FCC TCPA Order has Harsh Impact on Businesses

Written by
On July 10, 2015, the FCC entered its long awaited Order on 21 petitions seeking clarification on a number of issues related to the federal Telephone Consumer Protection Act (“TCPA”).  A copy of the complete Order is available here https://www.fcc.gov/document/tcpa-omnibus-declaratory-ruling-and-order.  The Order is consistent with comments that the FCC made during its open hearing on June 18, 2015.  For businesses that place autodialed calls or calls that use an artificial or prerecorded voice, be it for telemarketing or other purposes, the key takeaways from the new Order are as follows: First, [...] Read more

Peter Swire Testifies Before Senate Judiciary Committee on Encryption

Written by
Alston & Bird Senior Counsel Peter Swire testified today before the Senate Judiciary Committee as part of its hearing entitled, Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy.  The hearing, held on July 8, 2015, featured Sally Quillian Yates, Deputy Attorney General, and James B. Comey, Jr., Director of the Federal Bureau of Investigation, on the first panel, and Cyrus Vance, District Attorney of New York County, Herbert Lin of Stanford University, and Swire on the second panel.  The hearing focused on the seemingly competing interests of law enforcement/national [...] Read more

FFIEC Issues Optional Cybersecurity Assessment Tool

Written by
On June 30, 2015, the Office of the Comptroller of the Currency (OCC) announced that the Federal Financial Institutions Examination Council (FFIEC) has issued an optional Cybersecurity Assessment Tool (Assessment) for banking institutions (“institution”) to use to evaluate risks and cybersecurity maturity (i.e., level of preparedness).  OCC also announced that it would “gradually incorporate the Assessment into examinations of national banks, federal savings associations, and federal branches and agencies.”  This arises out of a 2014 pilot cybersecurity examination work program at more [...] Read more

Rhode Island Updates Identity Theft Protection Act; Requires Notice Within 45 Days of Data Breach

Written by
In the absence of action by the U.S. Congress to pass a national data breach notification law, many states stepped into the breach to update their laws this year to add more specific notice guidelines, a requirement to notify the state’s attorney general or another state official, and to require entities that maintain personal information to implement risk-based data security standards. Rhode Island has now joined that group. On June 26, Rhode Island Governor Gina Raimondo signed Senate Bill 0134, the Rhode Island Identity Theft Protection Act of 2015 (the “2015 Act”), which substantially [...] Read more

FTC Releases New Data Security Guidance for Businesses, Announces Conference Series

Written by
The Federal Trade Commission has released new guidance, called “Start with Security,” intended to assist businesses to improve their data security practices based on lessons learned from its 53 data security cases to date.  Issued on June 30, 2015, the guidance “distill[s] the facts of those cases down to their essence” in ten “lessons to learn that touch on vulnerabilities that could affect your company.” The ten lessons are as follows: Start with security.  The FTC advises businesses to factor security into its business processes from the beginning.  It also reminds businesses [...] Read more