The Matrix

A number of U.S. federal agencies have authority to issue a type of administrative subpoena called a Civil Investigative Demand (“CID”) to obtain relevant information as part of an investigation. For example, both the Federal Trade Commission (“FTC”) and the Consumer Financial Protection Bureau (“CFPB”) have authority to issue CIDs to obtain documents and testimony in investigations related to privacy, data security, deceptive marketing, and financial fraud. This article identifies some items to consider when receiving a CIDs based on my experience issuing and reviewing hundreds of CIDs as an enforcement attorney in the Chicago office of the FTC.

What Happened?
On July 16th, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield framework (one of the three primary mechanisms that permit the lawful transfer of personal data to the U.S. from the EU), finding that U.S. personal data protections are not satisfactory so as to be “essentially equivalent to those required under EU law.”

The Illinois Biometric Information Privacy Act (BIPA) is the only biometric privacy statute in the country with a private right of action. In the last two years, litigation under BIPA has dominated privacy law headlines. There are hundreds of BIPA class action lawsuits pending in Illinois state and federal courts, with new filings each week.

Last month, the Seventh Circuit issued a highly anticipated ruling concerning Article III standing for claims brought under the Illinois Biometric Information Privacy Act (BIPA).

As schools increasingly are adjusting to remote learning and utilizing education technology (“ed tech”) services, both schools and their ed tech service providers need to consider the appropriate collection and usage of student personal information.  Here are some tips for protecting students’ privacy and safeguarding personal data:

New York’s Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act”) took effect on March 21, 2020.  The Act expands existing state breach notification requirements and imposes specific data security protections for covered businesses that own or license the private information of New York residents, regardless of whether those businesses are based in New York. The Act also broadens the definition of “private information” to include new types and combinations of data.

On March 31, 2020, Washington Senate Bill No. 6280 (the “Act”) became law, codifying one of the most detailed facial recognition regulations in the country. The Act regulates state and local government agencies in Washington using or intending to develop, procure, or use a facial recognition service but also includes important considerations for companies designing this technology.

Under extraordinary circumstances, businesses are quickly adapting to remote work on a large scale. In doing so, companies should promote best practices to protect sensitive data. Below are some techniques that your company can employ to help ensure that sensitive personal or company information stays safe: