Washington Amends its State Data Breach Notification Law

This post was written by Divonne Smoyer and Christine N. Czuprynski.

On April 13, the Washington State Senate unanimously passed an amendment to the state’s data breach notification law. The amendment, which was requested by Washington Attorney General Bob Ferguson, and which we discussed in this previous post, passed the state house of representatives in March and is now awaiting the governor’s signature. The law will require notification to affected consumers and to the attorney general, if more than 500 Washington residents are affected, within 45 days of discovery of the breach. The law further clarifies the exemption for encrypted data, and requires notification of encrypted data if the encryption key, or other means of deciphering the “secured” data, is also acquired during the breach. As state legislative sessions across the country begin to wind down, we will likely have much more to report on amended breach notification laws. Many of the amendments are being driven by state attorneys general, as we noted in a recent interview with Oregon Attorney General Ellen Rosenblum.

Raising the Bar: New Report Shows an Increase in Suspension and Debarment Actions

This post was written by Lorraine M. Campos and Carlos A. Valdivia.

On March 31, 2015, the Interagency Suspension and Debarment Committee (“ISDC”) released its report to Congress detailing federal suspensions and debarment actions for fiscal year 2014. From 2013 to 2014, federal agencies in aggregate increased their use of exclusion actions. The number of persons and entities proposed for debarments jumped from 2,229 to 2,241, and suspensions increased from 887 to 1,009. Even after considering the ISDC’s counting conventions, the numbers show an upward trend in agency enforcement.

Although the ISDC notes that the overall number of suspensions and debarments is not a measure of success, the increase in enforcement correlates with the improvement of agency suspension and debarment programs. The ISDC report cites the Government Accountability Office’s findings, which indicate newly active suspension and debarment programs within six agencies. Intra-agency referrals to suspending and debarring officials are more effectively supported now than they have been in the past.

The ISDC also articulated the steps it plans to undertake to strengthen agency suspension and debarment programs, including:

  • Adding a third vice chair to the ISDC to increase agency involvement
  • Liaising with the Council of Inspectors General for Integrity and Efficiency
  • Emphasizing training on suspension and debarment practices, with a view toward promoting greater procedural consistency
  • Helping agencies consider the use of administrative agreements, as an alternative to suspension and debarment
  • Making outreach efforts with congressional staffers, industry, academia, and public interest groups
  • Improving ISDC’s new public website

Given these trends, federal contractors should ensure that their compliance efforts meet the pace of enforcement. The full report is available here.

EU antitrust authorities to take value of personal data into consideration when reviewing digital markets in merger and antitrust cases

This post was written by Cynthia O’Donoghue and Marjorie Holmes.

In an interview on 9 April 2015, European Competition Commissioner Margrethe Vestager indicated that companies who control personal data could come under increased scrutiny from European antitrust authorities. She recognises that considerable sums of money can now be made by companies holding large data sets, commonly known as Big Data, by using the data to create competitive advantage, and plans to put these companies under greater inspection.

Big Data, whether provided by users or collected from users’ online behaviour, can be analysed and used to help the company differentiate itself by personalising customer services and implementing effective targeted advertising. The more users an online platform is able to attract, the greater potential there is for sales, and the more attractive the platform becomes for advertisers. With the increasing ability to use Big Data for commercial gain, its value as a commodity continues to grow; and as Vestager put it, ‘Big Data is the next currency of the Internet’.

Companies that collect Big Data are already scrutinised in the UK, and the Financial Conduct Authority is currently examining whether the use of Big Data creates barriers to insurance products and services. However, as it stands, EU authorities and regulators have no ability to take pre-emptive action to prevent market conditions developing that could be detrimental to data protection.
Vestager is hoping to change this and introduce an EU merger control framework that provides authorities and regulators with a chance to review and deal with potential Big Data competition issues before they arise, to prevent the creation of monopolies over data. An interaction between data protection and competition policy will be required if this is to be successful.

The statement only predated by a week, today’s antitrust Statement of Objections issued to Google on the favourable treatment of its comparison shopping service being an abuse of Google’s dominant position as an Internet search provider.

Reed Smith's Government Contracts Weekly Rundown

This post was written by Nkechi A. Kanu.

Here is a rundown of last week’s top developments related to government contracts to get you back on track and ready for Monday.


Last week, the Sixth Circuit found that the government failed to adequately prove damages against United Technologies Corp and reversed the $657 million judgment against the company for allegedly overcharging the government on jet engines for the military.


On April 9, 2015, the Pentagon unveiled the latest iteration of its Better Buying Power acquisition reform, focusing on the preservation of U.S. technological superiority by protecting budgets for long-term research and development while enhancing cybersecurity.


The DoD, GSA, and NASA are issuing an interim rule amending the Federal Acquisition Regulation (FAR) to implement Executive Order (E.O.) 13672, which seeks to provide for a uniform policy for the Government to prohibit discrimination by adding sexual orientation and gender identity to the prohibited bases of discrimination.


The Small Business Administration’s Office of Hearings and Appeals upheld a protest by a woman-owned small business, finding that the SBA had improperly and unreasonably rejected Petitioner's evidence concerning the gender discrimination. 


The Small Business Administration extended its deadline by an additional 30 days for public comments on a wide-ranging proposed rule that would create a government-wide mentor-protégé program for small businesses and make other changes to SBA contracting regulations.


A public meeting will be held Friday, April 17, 2015 in Washington, D.C. to discuss the GSA’s proposed rule that would replace the PRC with a new reporting requirement that the GSA believes will provide a more effective model for ensuring fair and reasonable prices.

Blogger Immune From Suit for Anonymous Comments

This post was written by Dominique H. Pietz.

A Pennsylvania judge in the Northampton County Court of Common Pleas ruled that the defendant blogger was not liable for anonymous posts in the “comments” section of his website, despite his active moderation of these posts.

In Mezzacappa v. O’Hare (Docket No. C-48-CV-2014-4521), the plaintiff, a candidate for local office, argued that the defendant should be held liable for defamation, false light, and invasion of privacy for permitting allegedly defamatory third-party posts in the “comments” section of his blog. The plaintiff reasoned that because the defendant had the ability to, and often did, delete and disapprove of third-party comments, the comments that were allowed to stand were essentially “approved” by defendant.

The defendant argued he was protected by section 230 of the Communications Decency Act (47 U.S.C.A. § 230(c)), which holds that no provider of an interactive computer service shall be treated as the publisher or speaker of information provided by another “information content provider.” In this case, the defendant argued that an anonymous poster on his blog was an “information content provider” for purposes of the statute.

On March 31, Judge Anthony S. Beltrami sided with the defendant and ruled that, even if true, the plaintiff’s allegations described nothing more than the exercise of a “publisher’s traditional editorial functions,” which fell well within the purview of section 230. The court also noted that this case met all requirements for immunity under the applicable Third Circuit Test, which requires that (1) the defendant is a provider or user of an “interactive computer service”; (2) the asserted claims treat the defendant as the publisher or speaker of the information; and (3) the information is provided by another “information content provider.” Notably, this ruling unequivocally holds that an anonymous commenter constitutes an “internet content provider” under the Communications Decency Act.

As noted by the court, this ruling is part of a continuing trend wherein courts decline to limit the application of the Communications Decency Act’s immunity to large-scale interactive computer services.

South Korea Strengthens Security Measures for Personal Information

This post was written by Cynthia O’Donoghue.

South Korea’s Ministry of Government Administration and Home Affairs issued an amended version of the Standards of Personal Information Security Measures (the ‘Standards’). These Standards seek to close loopholes and inadequacies in the South Korean data protection law, and to counter the growing number of data breaches, especially those arising from use of mobile devices.

The Standards apply to all data handlers (a concept similar to data controllers under the EU Data Protection Directive) and are designed to prevent the loss, theft, leakage or falsification of personal information. The amended version sets out extensive requirements, increases obligations on data handlers when outsourcing processing, and introduces new security measures for mobile devices.

The Standards now require that data handlers actively supervise, manage and monitor outsourcing providers. In addition, ‘mobile devices’ have been added to the definition of personal information processing systems, and data handlers must ensure that all mobile devices are equipped with appropriate security measures, including the encryption of any personal information stored on them.

These Standards follow amendments already made to the Personal Information Protection Act 2011, and provide another example of how South Korea is trying to tighten up the security of its personal data following several substantial data breaches.

Reed Smith's Government Contracts Weekly Rundown

This post was written by Nkechi A. Kanu.

Here is a rundown of last week’s top developments related to government contracts to get you back on track and ready for this week.


On April 1, the Securities and Exchange Commission (“SEC”) settled its first enforcement action against a company for violating whistleblower protections by including restrictive language in confidentiality agreements used in its internal investigations.


The U.S. Department of Labor is extending the comment period for its proposed rule governing the obligations of federal contractors and subcontractors not to discriminate on the basis of sex in their employment practices.


The Chief Acquisition Officers Council, HHS, and GSA are conducting a national dialogue to discuss ideas on how to reduce the costs associated with reporting compliance under federal awards (contracts, subcontracts, grants, cooperative agreements).


The Federal Election Commission seeks comments on a public Petition for Rulemaking to amend the Commission’s regulations regarding political contributions, to include certain factors for determining whether entities of the same corporate family are distinct business entities for purposes of the prohibition on contributions by federal contractors.

SEC Message to Government Contractors: Don't Limit Whistleblowing

This post was written by Lorraine M. Campos and Nkechi A. Kanu.

On April 1, the Securities and Exchange Commission (“SEC”) settled its first enforcement action against a company for violating whistleblower protections by including restrictive language in confidentiality agreements used in its internal investigations.

The SEC charged a Houston-based government services contractor with violating whistleblower protections codified in section 21F of the Securities Exchange Act. Rule 21F-17 specifically prohibits companies from taking any action to impede whistleblowers from reporting possible securities violations to the SEC.

The contractor’s policy allegedly required its employees in particular internal interviews to sign confidentiality statements that limited their rights to disclose information. The SEC alleged that the language warned of discipline and even termination if employees discussed the matter with outside parties without obtaining approval from the company’s legal department. Although the SEC did not find any specific instances in which the contractor specifically prevented employees from communicating with the SEC about specific securities law violations, the SEC found that imposing pre-notification requirements before contacting the SEC could potentially discourage employees from reporting securities violations.

To settle the allegations, the contractor agreed to pay a penalty, agreed not to violate Rule 21F-17 in the future, and amended its confidentiality statement to clarify that its employees will not have to seek approval from the company before contacting officials, and would not have to fear the consequences of termination or retribution for doing so. The amended confidentiality statement states:

"Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation. I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.”

SEC officials indicated that they will continue to vigorously enforce the prohibitions found in Rule 21F 17. In light of this decision, government contractors should immediately review their policies and amend any existing forms or agreements that may discourage or deter employees from reporting potential legal violations to the SEC or other governmental agencies.

FCA Acquires New Competition Powers; Increased Regulatory Activity in Future

This post was written by Edward S. Miller, Marjorie C. Holmes, Jacqui Hatfield, Tom Webley, Yousef Hatem and Aditi Kapoor.

As of April 1, 2015, the Financial Conduct Authority (FCA) has acquired new functions and powers in relation to competition including powers under the Enterprise Act 2002 (the 2002 Act) to conduct market studies and make references to the Competition and Markets Authority (CMA), and powers under the Competition Act 1998 (the 1998 Act) to investigate and enforce against breaches of UK and EU competition law. The FCA’s new powers are concurrent with the enforcement powers of the CMA under the 1998 and 2002 acts, and the CMA’s powers were inherited from its predecessor, the Office of Fair Trading (OFT) on the OFT’s merger with the Competition Commission last April.

Click here to read the full issued Client Alert.

DOE to Award 12 Contracts Totaling $55 Billion

This post was written by Amy S. Koch, Lorraine Campos and Ellen L. Bastier.

The U.S. Department of Energy (DOE) intends to award up to 12 indefinite delivery, indefinite quantity (IDIQ) contracts, including two awarded to small businesses, with a total contract celling of $55 billion. The DOE released Request for Proposals (RFP) on March 23, 2015 for the implementation of energy savings performance contracts (ESPCs) at any U.S. federal government site worldwide. Bidding is limited to energy service companies, but still provides a great opportunity for teaming and/or subcontracting and financing some of the most innovative projects of this decade. As government spending decreases and contractors are held more accountable, DOE’s ESPC program may develop into a blueprint for government contractors moving forward.

Click here to read the full issued Client Alert.

Oregon AG Seeks Tougher State Breach Law

This post was written by Divonne Smoyer and Christine N. Czuprynski.

State attorneys general (AGs) are regulators with varying enforcement priorities and policy agendas, even within a focused issue such as data privacy and security. Over the last year, The Privacy Advisor has interviewed a number of state AGs who are active in privacy to gain insight into their views. In this spotlight, we talk to Oregon AG Ellen Rosenblum about her work in privacy, including her focus on protecting children online, and her interest in seeing her state’s data breach notification law strengthened. Click here to read the full article published by the International Association of Privacy Professionals (IAPP) The Privacy Advisor.

Italy Releases Draft Declaration of Internet Rights

This post was written by Cynthia O’Donoghue.

Italy’s Chamber of Deputies has proposed a ‘Draft Declaration of Internet Rights’ (Declaration), acknowledging both the way in which the internet has changed interactions and the way it has erased borders, but also noting that the EU’s protection of personal data is a necessary reference for governing operation of the internet. The Declaration is now open to public consultation until 27 February 2015.

The aim of the Declaration is to establish some general principles to be implemented by national legislation. It consists of a preamble and 14 articles covering topics including the fundamental right to internet access, net neutrality and right to be forgotten.

In particular, there is strong emphasis on the protection of the individual from widespread monitoring. Article 9 of the Declaration, for example, states that restrictions on anonymous communications "may be imposed only when based on the need to safeguard the public interest and are necessary, proportionate, and grounded in law and in accordance with the basic principles of a democratic society."

This publication is not the first of its kind and follows the German Bundestag committee work on the ‘Digital Agenda’, France’s parliamentary committee report on Rights and Liberties in the Digital Age, and Brazil’s Marco Civil.

The Declaration has received a mixed response, including from Italy’s Data Protection Commissioner, who expressed some concern about the rights to be anonymous and to be forgotten (Articles 9 and 10). A particular concern raised about the right to be forgotten, relates to increasing the scope of the right to permit court appeals of decisions relating to search engine de-listings where there is a public interest in preserving the information, which in principle sounds like a promotion of freedom of speech, but could have the opposite effect by focusing undue attention on individual requesting de-listing.

As a Declaration it will not become binding even after being finalised after the public consultation period; however, it will form a statement of principles on internet governance and the rights of individuals.

Toward Class Actions for Health-Related Claims in France

Class actions – which are progressively becoming part of the legal landscape in France as “actions de groupe” – will probably soon be extended to personal injury claims against health products manufacturers, suppliers or service providers using health products. On March 17, 2015, a new bill proposal was issued, advocating the creation of a class action procedure for the health sector. Plenary discussions at the French National Assembly will commence March 31, 2015, and will more precisely address the issue of compensation for personal injury in the framework of the proposed class action.

Click here to read the entire post on our sister blog Life Sciences Legal Update.

Reed Smith's Government Contracts Weekly Rundown

This post was written by Nkechi A. Kanu.

Here is a rundown of last week’s top developments related to government contracts to get you back on track and ready for Monday.


The Court of Federal Claims upheld the VA’s decision to cancel a contract award, agreeing that the contractor’s access to solicitation documents created the appearance of a conflict of interest.


The U.S. Department of Health and Human Services Office of Inspector General (“OIG”) recently posted an Advisory Opinion 15-04 , which opined that laboratory waivers for certain patients referred by physician practices could generate prohibited remuneration under the Anti-Kickback Statute.


On March 25, Rep. Mac Thornberry and Rep. Adam Smith jointly introduced H.R. 1597, a bill aimed at reforming the DOD’s broken acquisition system.


On March 25, the Small Business Committee passed legislation introduced by Chairman Steve Chabot (R-OH) to ensure more small businesses can compete for federal contracts.


DOD, GSA, and NASA are considering amending the FAR to update the list of domestically nonavailable articles under the BAA, and are seeking information that will assist in identifying domestic capabilities and evaluating whether some articles on the list of domestically nonavailable articles are produced in the United States in sufficient and reasonably available commercial quantities, and of a satisfactory quality.


DOD is issuing an interim rule amending the DFARS to implement sections of the Military Construction and Veterans Affairs and Related Agencies Appropriations Act, which requires offerors bidding on DOD contracts to provide opportunities for competition to American steel producers, fabricators, and manufacturers; and restricting the use of military construction funds in certain foreign countries.

CFPB Update - Bank Short Term Loans "Payday" for Banks? CFPB Outlines Sweeping Proposal to Level the Playing Field Between Payday Lenders, Banks and Credit Unions

This post was written by Travis A. Sabalewski and Nicholas F.B. Smyth.

Direct from Richmond, Virginia: yesterday, I (Travis) visited the Greater Richmond Convention Center, where the Consumer Financial Protection Bureau (CFPB) announced at a field hearing a sweeping proposal for new rules regarding payday/deposit advance loans, auto title loans, and certain high-interest, longer-term loans. (A Fact Sheet summary is here.) After CFPB Director Richard Cordray outlined the CFPB’s proposal, the Bureau heard from, first, a panel of industry and consumer advocates and, then, members of the public. The hearing was packed and the audience ̶ comprised of payday lender employees, consumer advocates, and others ̶ lively, with one or another of those groups applauding after nearly every person’s turn at the microphone.

Click here to read the full issued Client Alert.