The Department of Defence (DoD) has announced a plan to pilot 5G technologies on four military installations in partnership with private industry and the Federal Communications Commission. The project has been heralded as an opportunity for the DoD to work with industry and collaborate across federal agencies to advance the Trump administration's policy of maintaining the United States' global leadership in 5G.
California Governor Gavin Newsom recently signed the Consumer Call Protection Act 2019 to address the rise in deceptive robocalls and protect consumers from fraudulent calls. The act requires telecoms service providers to implement secure telephony identity revisited (STIR) and secure handling of asserted information using tokens (SHAKEN) protocols by 1 January 2021 and is the latest in a series of ongoing efforts to promote STIR/SHAKEN or similar call authentication frameworks.
New York Governor Andrew Cuomo recently signed into law a pair of bills establishing new requirements for businesses that process certain personal information relating to New York residents. The changes include expanding the scope of information covered by New York's data breach notification law. Businesses maintaining the private information of New York residents will now be required to develop reasonable safeguards within their organisation as part of a new reasonable security requirement.
The US Department of Justice (DOJ) has issued a new guidance memorandum entitled "Evaluating a Business Organisation's Inability to Pay a Criminal Fine or Criminal Monetary Penalty". This memorandum aims to provide greater clarity, transparency and uniformity as to how the DOJ's Criminal Division evaluates companies' claims that they cannot pay a proposed criminal fine or monetary penalty.
The California attorney general recently released proposed regulations to implement certain provisions of the California Consumer Privacy Act (CCPA). The attorney general also released a notice of proposed rulemaking and an initial statement of reasons that provide drafting insights and outline considerations that will likely continue to guide the rulemaking process. The proposed regulations provide clarifications for businesses and consumers in five key CCPA areas, including privacy notice requirements.
In a legislative environment charitably described as challenging, the fact that the Senate recently passed cybersecurity legislation by unanimous consent is noteworthy and highlights the bipartisan nature of this issue. The bill requires the newly-formed Department of Homeland Security teams to provide assistance to public and private entities, on request, to prepare for and respond to cyber-related incidents, including (among other things) restoring services after a cyber incident.
The California legislature recently debated several amendments to the California Consumer Privacy Act, eventually passing five bills which now await the governor's signature. Collectively, these bills do not provide the sweeping changes sought by businesses. Instead, the amendments make minor tweaks and postpone for one year some of the more challenging requirements. The passed bills address a range of topics, including providing for a partial, temporary one-year exception for applicant and employee data.
The New York governor recently signed into law a pair of bills establishing new requirements for businesses that process certain personal information relating to New York residents. The changes include expanding the scope of information covered by New York's data breach notification law and defining 'breaches' to include incidents involving unauthorised access to covered information, even where the information is not acquired.
In a long-awaited decision, the Supreme Court was expected to provide greater clarity on the extent to which litigants can challenge the Federal Communications Commission's Telephone Consumer Protection Act interpretations in private litigation. However, instead of deciding that issue, the court vacated the Fourth Circuit's ruling and remanded the case for further development.
Senate Bill 220 was recently signed into law, making Nevada the first state to join California in granting consumers the right to opt out of the sale of their personal information. However, the new privacy law is significantly narrower than the California Consumer Privacy Act (CCPA). For example, it applies only to online activities, defines 'consumer' and 'sale' more narrowly and includes broad exceptions for financial institutions subject to the Gramm-Leach-Bliley Act.
Federal Communications Commission (FCC) Chair Ajit Pai recently announced plans to open a rulemaking proceeding to take a fresh look at the 5.9GHz band. In this new proceeding, the FCC will consider whether and how to allow sharing in the 5.9GHz band between dedicated short-range communication, gigabit Wi-Fi and cellular vehicle-to-everything technologies.
Several legislative proposals seeking to amend the California Consumer Privacy Act are moving forward following a recent hearing before the California Assembly's Committee on Privacy and Consumer Protection in which the bills were approved. The bills will advance to the assembly's Appropriations Committee before being voted on by the full assembly and potentially advancing to the California State Senate for consideration.
A court has expressed concern with the government's "routine outsourcing" of investigations to the targets of those investigations seeking cooperation credit. The court noted the corporate target's "uniquely coercive position" over its employees, who may also be potential targets of the investigation. The decision may profoundly affect the structure and scope of cooperation agreements between the government and the corporate targets of criminal investigations.
In 2018 California passed the California Consumer Privacy Act (CCPA), which seeks to give consumers additional safeguards regarding their personal information. The CCPA will become effective in January 2020 and may impact companies in the education sector, including large education technology companies. Regulated educational entities should be wary of the CCPA's key requirements, including the deletion of consumers' personal information on request.
Congress recently introduced a bipartisan proposal to enhance cybersecurity for the network of internet-connected devices, commonly known as the Internet of Things (IoT). The IoT Cybersecurity Improvement Act 2019 aims to establish baseline cybersecurity standards for IoT devices. It would also impose limits on the types of IoT device that the US government can purchase.
The Department of Justice (DOJ) recently confirmed the importance of implementing a robust compliance programme that is not only well designed, but also adaptable and able to function effectively. The DOJ's latest guidance makes clear that companies have a strong incentive to maintain an effective compliance programme. Most importantly, these programmes must be fully implemented, account for the structure and scope of a company's business and actually operate effectively.
The Federal Trade Commission recently issued notices seeking public comment on proposed amendments to the regulations implementing the Gramm-Leach-Bliley Act, commonly known as the Safeguards Rule and the Privacy Rule. The proposed changes to the Safeguards Rule add a number of more detailed security requirements, whereas the proposed changes to the Privacy Rule focus on technical changes to align the rule with changes in law over the past decade.
The Federal Trade Commission (FTC) recently announced that it had settled with the operators of a video social networking app for a record civil penalty of $5.7 million under the Children's Online Privacy Protection Act. This action was notable not just for the penalty's size, but also because of the joint statement by two democratic commissioners that future FTC enforcement should seek to hold corporate officers and directors accountable for violations of consumer protection law.
Throughout 2018 the Department of Justice (DOJ) continued to ring the clarion call for cooperation and sought to provide some certainty, consistency and coordination regarding the incentives offered to companies that provide voluntary disclosures. In particular, the DOJ centralised its guidance memoranda into what is now known as the Justice Manual. The DOJ's goals were to identify redundancies, clarify ambiguities, eliminate surplus language and update the manual to reflect current law and practice.
Government attorneys now have additional discretion in False Claims Act civil cases to award cooperation credit to a corporation that meaningfully assists the investigation without necessarily identifying every individual person outside of senior management involved in the alleged misconduct. The new policy reflects the reality of modern corporate investigations and encourages realistic cooperation efforts without compromising the Department of Justice's policy of holding individuals accountable.