proskauer on privacy

We’ve been at it from the start…

Strength in numbersOur practice is one of the few that offers the deep expertise of highly specialized

lawyers in corporate transactions, litigation defense and employment law – all within the privacy and data security specialization, and in all tiers of seniority.

How Proskauer addressed itHow Proskauer addressed itHow Proskauer addressed it

Historical Development of Privacy and Data Protection Law


1995 20162000 2005 2010

1996: Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress.

1996-1999: Early commercialization of the World Wide Web and e-Commerce.

In early 1997, 51 million adults were online in the U.S. and Canada. Of those people, 73% reported that they had shopped for product information on the World Wide Web.

1996: Our lawyers had already specialized in health care law for many years, and had been tracking this legislation through Congress. Upon enactment, they promptly began advising covered entities, preparing privacy statements and training materials, counseling on compliance, and negotiating business associate agreements.

1996-1999: Our lawyers wrote the first Web site Privacy Policies for corporations venturing onto the Web.

Legacy Web site Privacy Policies had been written by marketing professionals, designed to assuage consumers’ fears of transacting online. They made overbroad promises that could be (and were, eventually) enforced legally.

1996




1995 20162000 2005 2010

1998: Deadline for EU countries to enact laws to comply with European Union’s Data Protection Directive.

1998: Our lawyers were quick to identify clients who had web sites that were targeted toward children, and helped them to comply with COPPA, taking advantage of the law’s exceptions to reduce the impact on business.

In 2013, when the COPPA regulation was amended, our lawyers did the same, again, using creative strategies to reduce the burdensome impact on legitimate, law-abiding businesses.

1998: Our lawyers prepared a multi-volume EU Data Directive compliance handbook for a German-based multinational media company.

1998: FTC action against Geocities for making deceptive privacy promises in its online Privacy Policy. First FTC action of its kind.

1998: Children’s Online Privacy Protection Act (COPPA) enacted.

1998: Our lawyers began to track FTC enforcement actions on privacy promises, and to design client privacy policies to be “judgment-proof” against FTC theories of action.

1998




1995 20162000 2005 2010

2000: Gramm–Leach–Bliley Act (GLBA) Privacy Rule and Safeguards Rule passed.

2000: Our lawyers began advising financial institutions and their service providers to prepare privacy statements, craft compliant data sharing arrangements and negotiate compliant agreements, addressing state mini-GLBA laws too.

2000: The U.S. Department of Commerce and the European Union agreed to a Safe Harbor Program to allow personal data to be exported from Europe to the United States in compliance with EU data protection law.

2000: Our lawyers began to assist clients to make use of the Safe Harbor program, as one of the easiest methods of complying with EU data protection law with respect to exporting personal information from Europe.

2000




1995 20162000 2005 2010

2001: European Article 29 Working Party released first model contract to enable the export of personal information from Europe to non-European countries whose laws did not afford adequate data protection in the eyes of the European data protection authorities.

2001: Our lawyers began to use these model contracts to facilitate clients’ export of data from Europe.

When additional forms of model contracts were released in 2002, 2004 and 2010, our lawyers continued to evolve with the landscape and advise clients to leverage their best options under European data protection law.

2001




1995 20162000 2005 2010

2002-present: Online businesses seek to monetize the data they have access to from their customers for behavioral online advertising purposes.

2002-present: Our lawyers represent a national cable and broadband provider to negotiate online advertising-related contracts with key marketplace participants, including addressing behavioral advertising issues in contracts and in implementation.

In 2014, our lawyers represented a global online behavioral advertising company to design its programs to comply with U.S. laws that regulate online tracking of Internet users.

2002: Our lawyers began to educate clients, and counsel them when they suffered data breaches of sensitive customer or employee information.

Since this law became effective, our lawyers have handled dozens of data breaches per year of all shapes and sizes.

2002: FTC brought action against Eli Lilly on data security grounds, deploying the deceptive trade practices prong of Section 5 of the FTC Act. This was the first FTC action of its kind.

2002: California’s Breach Notification Law was enacted. In the years there-after, all U.S. jurisdictions but three have followed suit.

2002: Our lawyers began to track all FTC enforcement actions pertaining to data security, and to craft policies and procedures for clients that would be “judgment-proof” against FTC precedent.

2002




1995 20162000 2005 2010

2003: U.S. “CAN-SPAM” Act was enacted, pre-empting ~50 state laws that varied in their requirements for commercial email.

Pre-2003: Our lawyers prepared compliance programs for clients that brought about compliance with all laws for one email campaign.

Pre-2003: With no federal anti-spam law, almost 50 contradictory state laws and bills regulated a business’ ability to send promotional emails to its customers.

2003: Our lawyers wrote the leading comprehensive White Paper on the CAN-SPAM Act, and began preparing internal compliance procedures for clients having the effect of reducing the statutory damages available for violations of the Act.

In 2015, our lawyers defended a company whose business is to send promotional emails for its clients against a CAN-SPAM suit that made novel arguments. The suit resulted in a nominal settlement amount.

2003: Our lawyers prepared compliance memos and tables for all types of direct marketing: e-mail, fax, telemarketing, text messaging, instant messaging and postal marketing.

2003

2003: The Federal Communications Commission issued a decision that the Telephone Consumer Protection Act applies to text messages as “calls,” adding to the suite of state and federal laws regulating direct marketing, including email, telemarketing, faxing and text messaging.

In 2009, the 9th Circuit agreed with the FCC’s determination in Satterfield v. Simon & Schuster, leading to a $13M settlement.




1995 20162000 2005 2010

2005: FTC action against BJs for failing to protect consumer data from unauthorized access, where they had not made a promise to protect data. This was the first FTC action of its kind.

2005: Kristen Mathews, the head of Proskauer’sPrivacy & Cybersecurity practice, received her certification as an information privacy professional by the International Association of Privacy Professionals. Since then, eight of our lawyers have received their CIPP credentials over the years.

2005: Our lawyers continued to track all FTC enforcement actions pertaining to data security, and to craft policies and procedures for clients that would be “judgment-proof” against FTC precedent.

In 2003, the International Association of Privacy Professionals (IAPP) was formed.

2005




1995 20162000 2005 2010

2006: The legal specialty of “data privacy law” began to take stride at other law firms, with some firms beginning to take interest and launch formal practice groups.

2006: Proskauer lawyers authored and edited the first comprehensive treatise on the topic of privacy and data protection, Proskauer On Privacy, published by the Practicing Law Institute and still updated by Proskauer lawyers and outside authors two times per year.

Proskauer launched its Privacy Law Blog, which was since selected for inclusion in the Library of Congress historic collection of Internet materials.

2006: Assisted luxury auto brand to survey laws in all 50 states to address privacy issues with collection, use and sharing of customer and vehicle usage data from vehicles remotely.

2006: In 2005, states had begun to enact laws that regulate the collection of vehicle and driver information from vehicles.

2006




1995 20162000 2005 2010

2007: TJX (of T.J. Max stores) had just suffered the largest data breach to date, and cyber insurance policies were in their infancy, with just a few specialty carriers in the market.

2007: Our lawyers assisted a specialty insurance carrier to design its new cyber risk insurance policy to apply appropriately to the marketplace.

2007




1995 20162000 2005 2010

2008: Our lawyers began to identify the key differences between traditional outsourcing and cloud services from a data protection perspective, and negotiating agreements for our clients to address those new and novel issues.

2008: Chambers & Partnersadded a “Privacy and Data Security” category to its annual law firm rankings publication.

2008-2016: Proskauer’s Privacy & Cybersecurity Practice Group has been Chambers-ranked since 2008.

2008

2008-2009: FTC in heat of enforcement actions against companies that have suffered data breaches.

2008-2009: Our lawyers defended a private class action and an FTC action against an education company that suffered a security breach. A favorable settlement of the private claim was reached, and the FTC was dissuaded from pursuing an action against the company.

2008: Cloud computing began to replace traditional technology outsourcing arrangements.




1995 20162000 2005 2010

2008: The “Red Flags Rule” was passed by the Federal Trade Commission and banking regulators, requiring companies to take measures to detect and take action on detected ID theft.

2008: Our lawyers wrote A Practical Guide To The Red Flag Rules, published by the Practicing Law Institute.

Our lawyers worked with creditors and financial institutions to “brainstorm” the indicators detectable to them of identity theft on their customer accounts and the appropriate action to take in light of such indicators, and to design programs around these frameworks.

2008: Assisted developer of consumer mobile application to conduct “privacy-by-design” in development of application and also prepared App privacy policy.

2008: Mobile Apps began to replace Web sites as the preferred means of interacting with customers online.

2008




1995 20162000 2005 2010

2009: The Federal Trade Commission took an expansive interpretation of the scope of the Red Flags Rule, by considering businesses that accepted payment for services in arrears to be “creditors” covered by the rule.

2009: Europe’s e-Privacy Directive amended to require web sites to obtain user consent before using cookies.

2009: Proskauer represented the American Bar Association to fight the contention that lawyers are covered by the Red Flags Rule. The court agreed, and found that law firms are not covered by the regulation. Following that, Congress amended the Act to carve-out more business models from its scope on the same grounds.

2009: Proskauer represented a major U.S. bank defending claims arising from the loss of computer back-up tapes. In a significant win, the defendants’ motions to dismiss were granted.

Proskauer also represented the bank in respect of multiple regulatory investigations, stemming from the same data loss, including fashioning an extremely favorable settlement with a state attorney general.

2009: Our lawyers developed a framework to inventory and categorize cookies based on compliance obligations and risk, and derived implementation plans for clients that were business-friendly and risk-based.

2009

2009: Some of the earliest data breach private actions were waged against companies that suffered data breaches.




1995 20162000 2005 2010

2002-2011: After being on the books but unenforced since 1990, plaintiffs’ class action lawyers began to enforce California’s Song Beverly Credit Card Act, which puts burdens on a retailer’s collection of customer data at the point of sale.

2002-2011: Our lawyers defended several of the first class action law suits against retailers under the Song Beverly Act and negotiated favorablesettlements that were leveraged in future cases against other retailers defended by other counsel.

To protect other clients from similar class actions, our lawyers identified each of the states with similar laws and prepared a risk chart that graphically illustrated the types of PII requests that could and could not be made in each state and identified practical work-around solutions for each state law.

2002 2011




1995 20162000 2005 2010

2010: A complex, multi-party litigation arose from among the largest data breaches to date, suffered by a payment card processor and affecting 40M payment cards. The case was in the heat of litigation, approaching settlement.

2010: Proskauer lawyers conducted “privacy by design” evaluation and prepared a privacy policy for an online tool for music, movie, game and other content distribution service used by dozens of top technology and entertainment companies.

2010: Our lawyers represented a financial services company against a putative nationwide consumer class action lawsuit alleging failure to safeguard non-public financial information. The case was dismissed and the decision was upheld on appeal.

2010: Private class action law suits continue to wage against companies that had suffered data security breaches.

2010: Regulators from around the world gathered at the annual assembly of International Data Protection and Privacy Commissioners in Jerusalem, Israel, and unanimously passed a resolution recognizing Privacy by Design as an essential component of fundamental privacy protection. In 2012, this was followed by the U.S. Federal Trade Commission’s recognition of Privacy by Design in its report entitled Protecting Consumer Privacy in an Era of Rapid Change – a major validation of its significance.

2010

2010: Proskauer represented a specialty cyber security insurance carrier in overseeing the defense of its insured against claims that it was responsible for one of the largest payment card data breaches on record. The outcome was a favorablesettlement.




1995 20162000 2005 2010

2010: Companies were increasingly being held responsible by regulators and private claimants for data security breaches they suffered at the hands of criminal data thieves.

2010: Our lawyers provided comprehensive assessment of clients’ data security practices, benchmarked findings against applicable laws, identified practical ways to address the identified gaps, documented the client’s practices in the form of written policies and procedures, developed training materials and conducted a train-the-trainer program to help the client uniformly communicate the policy.

2010: Plaintiff class action law suits continue to wage against companies that have sent text messages allegedly without consent in violation of the Telephone Consumer Protection Act.

2010: Our lawyers represented a movie production company in the defense and settlement of a putative class action in which the plaintiff alleged that the company, through a third-party vendor, sent nearly 100,000 text messages to individual consumers without consent. We reached a favorablesettlement with the plaintiff class, which the federal district approved.

2010




1995 20162000 2005 2010

2010-2016: In 2010, our lawyers assisted one of the first media conglomerates to develop a policy and plan of action to allow employees to use their personal devices for work purposes.

In 2012, we assisted a mobile device management (MDM) solution provider to create a “state-of-the-art” template “bring your own device” policy for use by its customers.

Assisted many companies thereafter with BYOD policies, as legal analysis has changed by virtue of the desire to make BYOD mandatory as a cost-saving method.

2010: After the term “big data” was coined in 2005 by Roger Mougalas from O’Reilly Media, corporate America increasingly looked for ways they could leverage the large data sets they had accumulated in the ordinary course of their business.

2010: Our lawyers assisted a nonprofit financial institution in student loan-guaranteeing business to survey its rights under numerous agreements with students, other lenders and federal student loan agencies, as well as applicable federal and state laws, to reuse and disclose student loan information to serve a separate for-profit product offering to schools.

Following that, in 2011, our lawyers assisted a global publisher of business information to determine the scope of its rights to use information received from auto dealerships about vehicle sales to create a licensed product containing aggregate sales information without personally identifiable information, and negotiated agreement with industry group representing auto dealers to receive necessary rights to data in order to create and sell product.

In 2013-14, our lawyers assisted a global financial institution in the insurance industry to determine its rights under applicable contracts and federal and state laws to use insurance policy information received from insurance carriers and their counterparts to provide aggregate information to all participating carriers, and prepared agreements for use with participants to procure necessary rights.

2010

2010-2016: In 2010, companies just began to acquiesce to employee demands to use their personally owned devices (instead of company-issued blackberries) to access their corporate email and calendar (BYOD).




1995 20162000 2005 2010

2011: Our lawyers began to carefully craft disclosures for publicly traded companies that accurately reflect risk and are at par with disclosures of similarly situated companies.

2011

2011: Electoral organizations begin to explore the viability of online voting in political elections.

2011: Our lawyers assisted a not-for-profit organization with addressing privacy, data security and online authentication issues with regard to an online voting portal where it was essential that voters be reliably authenticated.

2011: SEC releases guidance for publicly traded companies to disclose cybersecurity risks and breaches on SEC filings.

2011-2012: Google continues to assume dominance in the marketplace, to push the boundaries of data protection laws globally, and to defend numerous privacy-related law suits and governmental investigations.

2011-2012: Advised global investment firm having large investment in Google as to Google’s financial exposure under privacy laws as well as the likelihood of Google suffering a financial loss under each of the many privacy legal challenges they faced at the time.




1995 20162000 2005 2010

2012: After being on the books but unenforced since 2005, plaintiffs’ class action lawyers began to experiment with California’s Shine the Light Act, hoping it would be as lucrative for them as some other privacy laws that provide for statutory damages.

2012: Our lawyers defended among the first of these cases brought, and using creative arguments and strategy, led the case to dismissal.

Although many class action suits were filed under this law around the same time against several entities by the same plaintiffs’ counsel, this was the first substantive ruling by any court and had a pivotal effect on other pending litigation.

Those cases achieved dismissal too, and no new class action under this law has been brought since.

2012




1995 20162000 2005 2010

2012: Our lawyers prepared comprehensive data breach incident response plan for national publicly traded car retailer and conducted tabletop incident response exercise for whole incident response team including presentation of final report to the board.

Since then, our lawyers have presented several cybersecurity tabletop exercises per year, for companies including an insurance company, a retailer, a residential services provider, a national health care provider, and a television network.

2012: Companies began to use “tabletop” data breach exercises to train to handle an actual data breach.

2012




1995 20162000 2005 2010

2013-2014: A second wave of data breaches hit retailers nationwide, targeting point of sale card processing equipment.

2013-2015: Our lawyers defended a HIPAA-covered entity in connection with an inquiry by the Department of Health and Human Services relating to a security breach of Protected Health Information. Ultimately, the OCR was persuaded not to pursue the action.

2013-2014: Our lawyers assisted one of these retailers to respond to the breach in compliance with applicable laws and to mitigate exposure to reputational loss and legal damages. Managed the client’s response to the data security breach, including identifying the full nature and scope of the incident, engaging vendors to provide computer forensic and credit monitoring services, preparing notification letters in full compliance with the 46+ state information security breach laws, and interfacing with state attorneys general and other government agencies.

2013-14

2013-2015: The Department of Health and Human Services’ Office of Civil Rights has ramped up its efforts to enforce the HIPAA Security Rule against health care providers that have suffered data security breaches.




1995 20162000 2005 2010

2013-2016: Our lawyers assisted a global cruise company in crafting an agreement with a European law enforcement body to share passenger information in accordance with European data protection law.

2013: Our lawyers worked with the American Civil Liberties Union (ACLU) in Clapper v. Amnesty International, a case brought before the United States Supreme Court challenging 2008 amendments made to the Foreign Intelligence Surveillance Act which essentially allows the National Security Agency (NSA) to monitor Americans’ international communications.

2013-2015

2013: Corporations increasingly leverage technologies that allow them to track the physical whereabouts of their personnel in fleet vehicles and using smart phones and tablets.

2013-2016: Anti-terrorism law enforcement bodies worldwide increasingly seek to receive data from private companies that help them track the whereabouts of individuals on watch lists.

2013: Our lawyers conducted a 50-state survey of laws that require consent to track the geographic location of people using various technologies.

2013: Ed Snowden copied and leaked classified information from the National Security Agency (NSA) revealing the extent of the U.S. government’s surveillance on communications of U.S. citizens.




1995 20162000 2005 20102014

2014: The International Association of Privacy Professionals expands its presence in Europe. 2014:

SEC released Risk Alert warning broker dealers and investment advisors that they will be expected to have a robust cybersecurity program in place.

2014: Electricity companies begin to explore “smart meters” as a way to conserve energy.

2014:Cecile Martin, Special International Counsel in our Paris office, was appointed Chair of the International Association of Privacy Professionals KnowledgeNetfor France.

2014: Our lawyers assisted a national solar power company to establish a privacy program, including customer-facing privacy notices, to address privacy issues raised by collecting highly granular information about household occupancy and habits from residential smart meters.

2014: Our lawyers immediately began to counsel broker dealers, investment advisors, hedge funds, and private equity firms about the SEC’s cybersecurity mandate and how they can prepare to meet the SEC’s expectations of them with regard to cybersecurity.




1995 20162000 2005 2010

2015: An increasing trend evolved of so-called data security consultants detecting security vulnerabilities in technology products and reporting them to the company and to government authorities.

2015: Our lawyers represented a medical software company in an investigation by the Federal Trade Commission against a doctor practice management software vendor relating to an alleged security vulnerability in its software product.

2015: Proskauer represented T-Mobile in connection with the widely-publicized data breach of millions of its customers’ information housed by its vendor, Experian.

2015

2015: Our lawyers successfully defended a high end fashion house in a Fair and Accurate Credit Transactions Act (FACTA) litigation alleging that the retailer failed to redact credit card expiration dates from customer receipts. Our motion to dismiss the case was granted.

2015: Our lawyers immediately began to assist clients to decide upon and put in place alternative means to export and receive personal information from Europe.

2015: After years of enforce-ment by plaintiffs class action lawyers reaping the benefit of statutory damages, plaintiffs’ counsel are still suing retailers under FACTA for including too much payment card information on printed sales receipts.

2015: Increasingly over the 10+ years since data breaches have been reported publicly, data breaches are being caused by service providers who are hired by a company to serve a back-end function.

2015: A European court invalidated the Safe Harbor program, which has allowed personal data to be transferred from Europe to the United States for the last 15 years.




1995 20162000 2005 2010

2016: Europe passed its new General Data Protection Regulation (GDPR) which will replace its twenty-year-old Data Protection Directive and be directly effective on companies worldwide by 2018.

2016: Our lawyers began to counsel clients on the changes they would need to make in order to become compliant with the new regulation by 2018.

2016