Highest-Level Who? What Contractors Need to Know About the New FAR Provisions Requiring the Disclosure of Immediate and Highest-Level Ownership

This post was written by Lorraine M. Campos, Leslie A. Monahan, and Nkechi Kanu.

Back in May, a final rule issued by the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) imposed new disclosure requirements on federal contractors. Contractors will now be required to disclose whether they are owned or controlled by another business entity during their System for Award Management (SAM) registration.

Starting tomorrow, November 1, 2014, SAM registrants will face a new set of questions on ownership. The first question asks:

  • Does your entity have an immediate owner?

If the registrant selects “yes,” they will be required to answer the second question:

  • Does your entity have a higher-level owner?

The final rule adds a new FAR subpart 4.18, which defines “immediate owner” and “highest-level owner.”

  • Immediate owner means an entity, other than the offeror, that has direct control of the offeror. Indicators of control include, but are not limited to, one or more of the following: Ownership or interlocking management, identity of interests among family members, shared facilities and equipment, and the common use of employees.
  • Highest-level owner means the entity that owns or controls an immediate owner of the offeror, or that owns or controls one or more entities that control an immediate owner of the offeror. No entity owns or exercises control of the highest level owner.

In addition, offerors are now required to provide their Commercial and Government Entity (CAGE) codes for awards valued at greater than $3,000 (the micro-purchase threshold). The CAGE code is a five-character alpha-numeric identifier used within the Federal Government. Further, offerors must also list the name and CAGE codes for all entities reported as immediate and highest-level owners.

While CAGE codes have traditionally been reserved for contractors, the final rule now requires legal entities that may not have their own government contracts to obtain this identifier. As a result, the federal government will have more insight into who is actually benefiting from federal contracts.

Data Security Threats Are on the Rise in the Golden State, According to California Attorney General Kamala Harris

This post was written by Maytak Chin, Lisa Kim and Divonne Smoyer.

A California attorney general’s report released this month shows that data security threats are on the rise in the Golden State. Against a backdrop of increasing security breaches, the report recommends best practices for companies to adopt as a way to reduce their vulnerabilities and to better protect consumers.

The report highlights trends in security breaches that have occurred in California over the past two years. Last year alone, personal data from more than 18.5 million California residents was compromised, which represents a 600 percent increase from the 2.6 million records breached the year before. Moreover, the leading industries targeted for hacks and malware attacks were retail, financial services, and health care. In 2013, the retail industry had 26 percent of total breaches, followed by financial services at 20 percent, and health care at 15 percent. These industries are most at risk for security breaches because they possess and transact sensitive consumer data as an integral part of their business models.

Large retailers are particularly in jeopardy for cyber attacks. For instance, Target had a security breach that compromised 41 million individual records, and Living Social had 50 million of its consumer records hacked in 2013, which affected consumers nationwide. The magnitude of the security compromises at Target and Living Social illustrates how large retail companies have become prime targets for cyber attacks. However, updating company practices and technological processes can reduce system vulnerabilities.

The California attorney general’s report recommends that companies take four steps to improve data security and reduce breaches:

  • First, companies could update point-of-sale terminals and systems, e.g., cash registers and other payment card technologies, to accept chip-embedded cards. Chip cards interact with physical sale terminals to authenticate payment cards and have the ability to send a one-time message, which changes with each transaction. Since 1994, more than 80 countries have moved toward using chip cards, including Canada, Mexico, and Brazil, and several countries in Europe and Asia.
  • Second, encrypting sensitive information could reduce unauthorized access to the data. Once encrypted, the data transforms into a non-readable format that becomes readable only when paired with a matching cryptographic key generated by a matching mathematical algorithm. This prevents access to such information from unauthorized users who do not have the matching cryptographic key.
  • Third, companies could employ tokenization solutions to make sensitive information less accessible. Tokenization is similar to encryption, except the key or token is generated at random at the point of use, rather than through a set mathematical algorithm.
  • Fourth, companies should implement security breach policies to ensure prompt notifications to consumers and responses to address the breach, as measures to prevent further systemic harm.

The California attorney general’s report comes on the eve before new personal information privacy rules take effect next year. In the past month, the California Legislature passed, and the governor approved, Assembly Bill No. 1710, which amend Civil Code section 1798 et seq. The newly enacted provisions will restrict the sale of Social Security numbers, including in advertising and offers to sell, and expand the law to reach any company that owns, licenses, or maintains specified personal information of any California resident. The new laws will also require that security breach notifications include an offer from the business with the breach to provide appropriate identity theft prevention and mitigation service to compromised consumers. For more information on Assembly Bill No. 1710, check our blog post on it here.

The California attorney general’s office is one of the most active offices in the area of state privacy enforcement. In the past several years, however, state attorney generals across all 50 states have become increasingly active in privacy enforcement because of a lack of comprehensive privacy rules in the United States at the federal level.

Reed Smith attorneys conduct Q&A with Idaho AG

This post was written by Divonne Smoyer and Frederick Lah.

Attorney General (AG) Lawrence Wasden is Idaho’s longest-serving AG, having served since his election in 2002. Wasden has been a strong advocate of consumer protection issues related to privacy, such as marketing scams and Internet safety, particularly with respect to teens and children. He also has served as president of both the National Association of Attorneys General (NAAG), the nonpartisan professional association for state AGs, as well as the chair of the Conference of Western Attorneys General (CWAG), an educational association focusing on legal and policy issues of importance to states in the western U.S.

Reed Smith Data Privacy attorneys Divonne Smoyer and Frederick Lah produced a series of Q&A with AG Wasden. Click here to read the entire interview on The Privacy Advisor.

Also see our previous Q&As with Connecticut AG George Jepsen and Indiana AG Greg Zoeller.

Paying More: New Final Rule Implementing Federal Minimum Wage for Contractors

This post was written by Lorraine M. Campos and Paula A. Salamoun.

On October 7, 2014, the Department of Labor (“DOL”) published its Final Rule, 79 Fed. Reg. 60633, implementing Executive Order (EO) 13658’s new minimum wage requirements for government contractors and subcontractors. While addressing the nation in the January 2014 State of the Union Address, President Obama stated his intention to issue an EO that would “requir[e] federal contractors to pay their federally-funded employees a fair wage of at least $10.10 an hour.” Shortly thereafter, President Obama issued EO 13658, setting the new federal contractor minimum wage at $10.10, and tasking the secretary of the DOL with the responsibility of publishing new implementing regulations. In an earlier June 2014 post, we discussed the DOL’s then-proposed rule and its potential reach and applicability, as well as the potential pitfalls for contractors who ignore this new regulatory development. Since then, the DOL has wrapped up its notice and comment period, and put forth its Final Rule.


The DOL’s Final Rule applies to new and replacement federal contracts that arise from solicitations issued on or after January 1, 2015, or contracts awarded on or after January 1, 2015. Contractors engaging in business under any of the following four contractual categories will come under the provisions of the new regulations:

  • Procurement contracts for construction under the Davis-Bacon Act (DBA)
  • Service contracts under the Service Contract Act (SCA)
  • Concessions contracts, including any concessions contract excluded from the SCA by the Department of Labor’s regulations at 29 CFR 4.133(b)
  • Contracts related to federal property or lands and related to offering services for federal employees, their dependents, or the general public

New Obligations

Contractors and subcontractors are now subject to certain new obligations. For example, any covered lower-tiered subcontract must include the Executive Order contract clause informing parties of the new minimum wage. Additionally, contractors and subcontractors must assure notification of the new applicable minimum wage rate to all workers performing on or in connection with a covered contract.

The Final Rule also imposes new recordkeeping obligations that may cause some administrative headaches. For example, if a covered contractor during any workweek is not exclusively engaged in performing covered contracts, the contractor must record the time spent on covered contracts apart from time worked on contracts not covered. Further, contractors with covered contracts are required to maintain records of each worker's occupation or classification and the total wages paid.


The Final Rule provides regulations authorizing agency investigations and administrative hearings when necessary. Generally, enforcement procedures and remedies under these regulations will be based on the text of the Federal Labor Standards Act (FLSA), SCA, and DBA.

TCPA: The Muddled Madness Continues!

This post was written by Judith L. Harris.

Tuesday evening, the Federal Communication Bar Association held a seminar in Washington designed to help practitioners make some sense of the ever-expanding number of class actions that have been brought under the Telephone Consumer Protection Act (“TCPA”) by often over-zealous plaintiffs’ attorneys; the inconsistent decisions that have been rendered by the courts; and the scores of requests for declaratory rulings that are currently pending before the Federal Communications Commission (“FCC,” “Agency,” or “Commission”). While the participants on the seminar’s two panels (the first designed as a litigation update and the second intended to provide a look down the road) quibbled over substance throughout the evening, they did seem to share one common perspective: the TCPA is a mess!

Not surprisingly, the panelists – especially the FCC’s representative – were much more adept at identifying open issues than at providing answers. Nonetheless, we were able to gain some insight into what are generally considered to be the most difficult TCPA-related issues and how some of the current confusion might eventually sort itself out.

  • There seems to be universal agreement that the FCC will issue an order “any day now” dealing with opt-out requirements in situations involving solicited faxes. We got the sense that an order is already signed by at least the necessary three Commissioners, and that the Agency will cut a little bit of slack in limited circumstances, to telemarketers responding to consumer requests or sending faxes to existing customers who have consented to receiving them. We’ll see.
  • It also seems that Commission staff is currently grappling with the definition of “called party” in the case of reassigned mobile phone numbers. The courts have recently reached differing conclusions regarding that definition for purposes of ascertaining consent, some holding that the called party is the intended recipient of the call and others concluding that it’s the current subscriber. We’re guessing that this will be the subject of the next important TCPA order issued by the FCC.
  • The good money is betting that the other big questions (in particular, the many pending requests for declaratory rulings relating to the definition of an ATDS, the capacity debate, etc.) will be wrapped into the omnibus rulemaking currently pending before the Agency. It appears that the Commission would be very interested in arriving at a compromise position that could be embraced by both businesses and consumers. Panelist Jason Goldman, Counsel at the U.S. Chamber of Commerce, offered that the Chamber is very focused on trying to proactively develop solutions to some of these issues as, not surprisingly, this whole area of the law is of grave concern to the Chamber’s members.
  • Interestingly, in the first panel, two different answers were given by private practitioners to the question of how many petitions for declaratory rulings are currently pending before the FCC (41 and 52). During the second panel, which included Kristi Lemoine – an attorney with the FCC’s Office of Consumer and Governmental Affairs who described herself as spending more than 90 percent of her time on TCPA issues – Kristi confessed that she herself doesn’t know which of those two numbers was accurate, as petitions keep coming on a regular basis, and even she is having a hard time keeping track of them. As expected, Kristi gave the usual caveats before she spoke: (1) that she was only speaking for herself and not on behalf of the Commission; and (2) that she wasn’t going to have a lot to say because virtually all the issues that the audience might be interested in were currently the subject of pending petitions for declaratory rulings, which she was not at liberty to discuss. Then she proceeded to say almost nothing and made no predictions. She did advise that the FCC was attempting to group the petitions by issue, but even just doing that was tough because of the frequency with which petitions were being filed, and the fact that many posed more than a single issue.
  • There seemed to be some consensus that, currently, one of the most interesting open questions relates to the scope of third-party liability for mobile marketing TCPA violations. Several panelists referred to the recent decision of the Ninth Circuit holding that companies that hire third parties to send unsolicited text messages on behalf of yet another entity can be held liable for TCPA violations. See, Gomez v. Campbell-Ewald Co., __F. 3d___, 2014 WL4654479. The Gomez case reversed and remanded an order granting summary judgment in favor of defendants, holding that a marketing company, hired by the U.S. Navy to run a recruitment campaign, could be held liable for violations by a third party with which the marketing company had subcontracted to send text messages in furtherance of the Navy’s recruitment campaign. While the FCC has previously opined that third-party liability should be based on common law principles of agency (actual/apparent authority/ratification), everyone agreed that this Ninth Circuit decision, holding, as it did, that a middle man that hired a vendor on behalf of an entity that contracted with the middle man to have calls made or messages sent, could be held liable for acts of the vendor with which the middleman contracted, is really pushing the envelope; and may or may not end up accurately reflecting the law.
  • Finally, there were several references during the seminar to the Federal Trade Commission’s (“FTC”) announcement in August of the winners of its “Zapping Rachel” robocall contest as evidence that the relevant federal enforcement agencies remain laser-focused. According to the description on the FTC’s website: “Zapping Rachel marks the latest step in the FTC’s ongoing campaign to combat illegal, pre-recorded telemarketing calls known as robocalls. The contest challenged participants to design a robocall honeypot which is an information system designed to attract robocallers and help law enforcement authorities, researchers, and others gain enhanced insights into robocallers’ tactics.” Beware! The award winners came up with some pretty innovative ideas!

In other news, the FCC also released an Enforcement Alert. The Alert contains a warning (in this election season) that the TCPA’s prohibitions about auto-dialed calls and pre-recorded messages also apply to political calls, and that the Commission intends to enforce the law and its regulations in this regard. For you beleaguered defendants out there: turnaround is fair play!

From Epidemic to Bioterrorism: Mitigating Contractor Risks in a Worst-Case Scenario

This post was written by Lorraine M. Campos and Leslie A. Monahan.

While the current Ebola outbreak is a natural epidemic, the idea that the virus could be used as a bioterrorist threat has been considered. Accordingly, the potential for obtaining Department of Homeland Security (DHS) Support Anti-terrorism by Fostering Effective Technologies Act of 2002 (SAFETY Act) protection for products or services related to fighting the Ebola virus is not completely far-fetched.

As background, the SAFETY Act was established to facilitate the development and use of effective anti-terrorism products and services. The SAFETY Act creates systems of risk and litigation management by providing liability protections for manufacturers and sellers of qualified anti-terrorism technologies (QATT) that could save lives. Specifically, sellers of QATT are granted limited liability for third-party claims arising out of the deployment of the QATT with respect to acts of terrorism. The maximum liability is determined by DHS on an applicant-by-applicant basis based on information contained in the application, and the seller is required to maintain liability insurance at that level.

Although the SAFETY Act may seem limited in scope, it applies to comprehensive terrorism prevention, response, and mitigation, and has covered vaccines and screening technology in the past. For example, in 2006, SAFETY Act designation and certification was given to the developer of a vaccine to prevent the symptoms associated with infection with anthrax. That same year, the manufacturer of a sterile antibody product that can be used for the treatment of adverse reactions to the smallpox vaccine, or other uses relating to exposure to the smallpox virus, received SAFETY Act protection. Additionally, biological screening kits for multiple bioterrorism agents have been covered by the SAFETY Act.

In the event DHS would offer SAFETY Act protection to businesses developing new medical treatments and interventions to treat and contain the Ebola virus, this protection does not eliminate all risks and uncertainties for developers. SAFETY Act coverage only applies to claims stemming from designated acts of terrorism, and does not protect against non-terrorism related risks. Since there is also a risk of contracting Ebola outside of terrorist events, claims stemming from these incidents would be outside the scope of SAFETY Act protection.

Opportunity for Government Contractors to Develop Ebola Countermeasures

This post was written by Lorraine M. Campos and Nkechi Kanu.

The Ebola epidemic in West Africa is the worst medical outbreak of the disease in recorded history. Currently, there are no treatments or vaccines proven to be safe or effective for the Ebola virus, and investigational vaccines and treatments are only in the early stages of development. As such, the primary approach to containing the virus includes identifying and isolating infected people, and ensuring that health care workers have access to protective equipment.

In response to the Ebola outbreak, the U.S. government has been actively working with private and public entities and international organizations to facilitate the development of treatments and vaccines with the potential to help mitigate the Ebola epidemic. Additionally, the U.S. Food and Drug Administration (“FDA”) has utilized a mechanism under its regulatory framework to enable access to an investigational medical product that can detect the Ebola virus.

Under section 564 of the Federal Food, Drug, and Cosmetic Act (FD&C), the FDA can issue an Emergency Use Authorization (EUA), which allows for the use of unapproved medical products or unapproved uses of approved medical products in an emergency to diagnose, treat, or prevent serious or life-threatening diseases when there are no adequate, approved, and available alternatives. The FDA recently utilized an EUA to authorize the use of an Ebola diagnostic test, developed by the Department of Defense (DOD). The FDA declared that the DOD’s diagnostic test could help facilitate an effective response to the ongoing epidemic in West Africa by rapidly detecting patients infected with Ebola virus, and facilitating appropriate containment measures and clinical care. After the issuance of the EUA, the FDA encouraged other diagnostic product developers to pursue an EUA, or other appropriate mechanisms, for their investigational products that can be used to test for or treat Ebola. Although the EUA issued October 10, 2014 waived certain labeling, storage, and distribution requirements, developers should be mindful that section 564 of the FD&C Act does not establish a liability protection scheme or tort immunity for manufacturers or others who carry out any activity for which an EUA is issued.

In addition to the FDA’s authority to issue EUAs, the Public Readiness and Preparedness Act (PREP) authorizes the Secretary of the U.S. Department of Health and Human Services (HHS) to issue a PREP Act declaration in response to a public health emergency. Unlike an authorization under an EUA, a PREP Act declaration provides immunity from tort liability claims to individuals or organizations involved in manufacturing, distributing, or dispensing medical countermeasures. Covered countermeasures include vaccines, antidotes, medications, medical devices or other FDA-regulated products used to respond to pandemics, epidemics, or any biological, chemical, radiological, or nuclear threat. If HHS chooses to issue a PREP Act declaration for the Ebola virus, manufacturers who decide to distribute or dispense medical countermeasures under a declaration should be advised of the liability protections they can receive.

New VETS Rule Changes Reporting Requirements for Government Contractors - Veterans in the Aggregate

This post was written by Lorraine M. Campos and Nkechi A. Kanu.

The U.S. Department of Labor’s Veterans’ Employment and Training Service (“VETS”) recently issued a final rule altering the reporting requirements on veteran employment and hiring for federal contractors. The new rule revises the regulations implementing the reporting requirements under the Vietnam Era Veterans’ Readjustment Assistance Act of 1974 (“VEVRAA”). Although the rule becomes effective October 27, 2014, federal contractors and subcontractors will not be required to comply with the reporting requirements until the reporting cycle in August 2015.

The new rule rescinded obsolete regulations and changes the manner in which federal contractors and subcontractors report on their employment of veterans. Significant changes made in the final rule include:

  • Rescinding 41 C.F.R. Part 61-250: VETS rescinded the regulations in part 61-250, which generally apply to contracts entered into before December 1, 2003. VETS found that the rules were obsolete because the Federal Acquisition regulations (FAR) generally limit the length of government contract to a maximum period of five years. As such, any contracts entered into prior to December 1, 2003, have likely terminated.
  • Changing Reporting Requirements: The final rule renames the VETS-100A Report to VETS-4214 Report. The new rule provides that under VETS-4214, contractors can now report the total number of “protected veterans” in their workforce in the aggregate, rather than by each category of veterans protected by the statute. Previous reporting requirements under VETS-100A called for contractors to provide the total number of veterans protected under each of the four categories of “covered veterans”: (i) disabled veterans; (ii) other protected veterans; (iii) Armed Forced service medal veterans; and (iv) recently separated veterans.
  • Change in the Definition of Protected Veteran: The new regulation eliminates the definitions for “covered veteran” and “other protected veteran,” and provides a new definition of “protected veteran” to mean a veteran who may be classified as a disabled veteran, recently separated veteran, active duty wartime or campaign badge veteran, or an Armed Forces service medal veteran.

VETS believed that reporting aggregate data, rather than the data for each category of veterans protected, will provide more meaningful data to Congress. Specifically, the aggregate information will allow for cross-year comparisons of federal contractors’ employment and hiring of protected veterans, as well as the proportion of contractors’ workforce and new hires made up by protected veterans.

Additionally, VETS indicated that comprehensive data recording under the new rule will assist contractors in effectively monitoring the success of their recruitment and outreach efforts to attract protected veterans. Under the final rule, contractors and subcontractors may have to adjust their recordkeeping systems in order to comply with the revised data collection.

Court Finds, Again, That Device ID Is Not Personally Identifiable Information (PII) Under The Video Privacy Protection Act (VPPA)

This post was written by Lisa B. Kim.

On October 8, 2014, a district court judge in Georgia dismissed with prejudice a Video Privacy Protection Act (VPPA) action against The Cartoon Network (CN), holding that the disclosure of the plaintiff’s Android ID was not actionable because the Android ID did not qualify as “personally identifiable information” (PII). The full order is attached.

In Ellis v. The Cartoon Network, Inc., the plaintiff alleged that he downloaded the Cartoon Network App (“CN App”) and began using it to watch video clips on his Android device. Plaintiff alleged that each time he used the CN App, a complete record of his video history, along with his Android ID number, was transmitted to Bango. Bango, as a third-party analytics company that collects a wide variety of information about consumers from other sources, would then allegedly reverse-engineer the consumers’ identities by using the Android ID.

Plaintiff claimed that CN’s practice of sharing his Android ID and viewing history to Bango without his consent was a violation of the VPPA.

The court dismissed the case with prejudice, finding that the Android ID did not qualify as PII, and thus, CN’s practices of sharing device IDs to Bango did not fall within the purview of the VPPA. Citing to the In re Hulu and In re Nickelodeon cases, the court explained that in order to be considered PII, the information had to link an actual person to actual video materials. Where an anonymous ID was disclosed to a third party but that third party had to take further steps to match that ID to a specific person, no VPPA violation occurred. The court likened this case to the disclosure of cable box codes, which could not identify consumers without corresponding billing records. Here, too, Bango needed to go through an additional step of matching PII gathered from other sources to identify the user. This was not a situation where video viewing habits were linked to a Facebook account, where the specific person could be identified without any additional steps. Accordingly, the court found that the disclosure of an Android ID alone, as happened here, does not qualify as PII under the VPPA, and dismissed the case with prejudice.

The court also considered and rejected arguments by CN that plaintiff had no standing to bring the case because he did not suffer an injury in fact, and that plaintiff was not a “subscriber” to any of CN’s services, and thus, not a “consumer” under the VPPA. The court found that an invasion of a statutorily created right established standing even if no injury would have existed without the statute. Since plaintiff alleged a violation of the VPPA, the court found that plaintiff alleged an injury. The court also found that plaintiff was arguably a subscriber because he downloaded the CN App and used it to watch video clips. However, given that the court ultimately dismissed the case, these rulings would be considered dicta.

With this ruling, courts appear to be drawing a line with regard to applying the VPPA to sharing information with analytics companies. Plaintiffs have certainly been testing the waters with VPPA cases against various news and entertainment organizations (see May 5, 2014 blog post). This ruling demonstrates that the courts are hesitant to push the bounds of the VPPA to include the simple sharing of device IDs without more. Time will tell if the other courts follow suit.

U.S. Supreme Court Upholds Fourth Circuit Victory for Omnicare, Inc. in High-Profile, Precedent-Setting False Claims Act Case

This post was written by Eric A. Dubelier, Lawrence S. Sher, Katherine J. Seikaly, Mel BerasJames C. Martin, and Colin E. Wrabley.

In a decision that has significant repercussions both for the pharmaceutical and health care industries and False Claims Act jurisprudence more broadly, the U.S. Supreme Court denied review of a groundbreaking Fourth Circuit decision affirming the dismissal of a novel False Claims Act suit against Reed Smith client Omnicare, Inc. In its February 2014 decision, the Fourth Circuit rejected the qui tam relator’s claim that Omnicare violated the FCA when it sought reimbursement for drugs that it allegedly packaged in violation of certain federal packaging regulations. The significance of these rulings is especially great as FCA suits proliferate, and settlements and judgments explode. In fiscal year 2012 alone, nearly 800 FCA lawsuits were filed, more than half of which involved the health care industry. And in that same year, according to the U.S. Department of Justice, there were settlements and judgments in FCA cases of nearly $5 billion, more than $3 billion of which involved the health care industry.

Click here to view the full issued Client Alert.

ICO Publishes its Report on Big Data and Data Protection

This post was written by Cynthia O’Donoghue.

On 28 July, the ICO released its report ‘Big data and data protection’ (the ‘Report’).

The Report defines ‘Big Data’ and sets out the data protection and privacy issues raised by Big Data, as well as compliance with the UK Data Protection Act 1998 (‘DPA’) in the context of Big Data.

The ICO defines Big Data by reference to the Garter IT glossary definition, and further explains that processing personal data must be of a significant volume, variety or velocity.

When announcing publication of the Report, Steve Wood, the ICO’s Head of Policy Delivery, stated that “Big Data can work within the established data protection principles….The principles are still fit for purpose but organisations need to innovate when applying them”.

Under the DPA 1st Principle (fair and lawful processing), the Report emphasises that the complexity of Big Data analytics should not become an excuse for failing to seek consent where required, and that organisations must process data fairly, particularly where Big Data is used to make decisions affecting individuals. A study by Barocas and Selbst entitled ‘Big Data’s Disparate Impact’ found that Big Data has the “potential to exacerbate inequality”, and use of Big Data that resulted in discrimination would violate the fairness principle.

The Report addresses the significant issue of data collection when using Big Data analytics, and stresses that an organisation must have a clear understanding from the outset of what it intends to do with, or learn from, the data to ensure that the data is relevant and not excessive for the purpose. The Report seeks to address the growing concern that Big Data analytics tends to involve collecting as much data as possible, but that under the DPA, data minimisation remains an essential element of Big Data.

The Report also cautions that organisations seeking to use analytics must ensure against purpose-creep by following the purpose limitation principle to ensure that data collected for one purpose is then not used for another purpose incompatible with the original purpose. With this in mind, the ICO suggests that organisations employ a risk-based approach to identify and mitigate the risks presented by Big Data.

The Report also addresses whether the growth of Big Data leads to an increased data security threat, and highlights how The European Union Agency for Network and Information Security (‘ENISA’) has identified a number of emerging threats arising from the potential misuse of Big Data by so-called ‘adversaries’. In contrast, the Report also illustrates that there is evidence illustrating how Big Data can be used to improve information security.

To address these concerns, the ICO recommends several ‘tools for compliance’, including:

  • Privacy Impact Assessments (PIAs)
  • Privacy by Design
  • Promoting transparency through Privacy Notices

Big Data is a fast-growing area that offers many opportunities and commercial advantages. It also presents many challenges. As the Report argues, the benefits of Big Data can only be realised by adhering to current DPA Principles and safeguards. Only through compliance will individuals trust organisations and become more open to the use of their data for Big Data analytics.

Did California Just Impose a First-in-the-Nation Requirement for Breaching Companies To Offer Identity Theft Prevention and Mitigation Services?

This post was written by Paul Bond, Lisa B. Kim, and Leslie Chen.

Spurred by the security breaches at Target, Neiman Marcus, and The Home Depot, California Gov. Jerry Brown signed into law Assembly Bill No. 1710 September 30, 2014. The bill expands requirements on persons or businesses that own, license, and maintain personal information about a California resident. Specifically, the new law amends sections 1798.81.5, 1798.82, and 1798.85 of the California Civil Code to reflect the following changes:

  • Expands the provisions that require businesses to provide security measures involving personal information to include businesses that “maintain” information about a California resident, not just those who “own” or “license” that information.
  • Requires that if the person or business providing a security breach notification was the source of a breach that involved the exposure or possible exposure of social security numbers (SSNs) or driver’s license numbers, then “an offer to provide appropriate identity theft prevention and mitigation services, if any, shall be provided at no cost to the affected person for not less than 12 months.”
  • Prohibits the sale, advertisement for sale, or offer to sell of an individual’s social security number, except in specific circumstances.

Previously, only businesses that owned or licensed personal information about a California resident were required to implement and maintain reasonable security procedures and practices to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Owned and licensed personal information include “information that a business retains as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates.” For example, financial institutions have long been deemed “owners” of personal information under the existing law, and frequently have to issue notices of breach in situations when the actual incident did not even occur at a bank or credit union. However, with the new bill, as long as a business maintains personal information, it will be responsible for disclosing that a breach occurred. This expands the data breach laws to include retailers that have personal information about their customers, but do not use it in the manner defined above.

In addition, AB 1710 requires businesses that are the source of a security breach involving SSNs or drivers’ license numbers to provide, if any, identity theft prevention and mitigation services at no cost to the affected person for a minimum period of 12 months. The plain text of the statute makes the requirements regarding cost and length of services conditional on the company offering services at all. By saying that “an offer…if any” must meet certain requirements, the statute precludes very short-term “offers” that really function as teasers to get people to subscribe for services at their own expense. However, many commenting on the bill before and after passage have essentially read the “if any” language out of the text by construing the provision to make credit monitoring or a like service mandatory. Regardless of the interpretation, the new provision reflects the legislature’s interest in offering security breach victims a means to ameliorate the situation.

Finally, the new bill also provides that a person or entity may not sell, advertise for sale, or offer to sell an individual’s SSN except in specific circumstances allowed by the law. For example, businesses are not prohibited from incidentally releasing social security numbers when it is necessary to do so to accomplish a legitimate business purpose. Note, however, that it is not permissible to release an individual’s social security number for marketing purposes.

The new amendments go into effect January 1, 2015. Beginning then, businesses that violate the law may be subject to civil actions by customers seeking to recover damages or injunctive relief. Cal. Civ. Code § 1798.84(b) and (e).

It's a Bird...it's a Plane...it's a Drone; FAA Approves Limited Use of Drones as Camera Platforms for Film and TV Production

This post was written by Hilary St. Jean.

Unmanned aerial cameras have been legal in other parts of the world but prohibited for commercial use in the United States until last week, with the limited exception of two commercial-drone operations, which the FAA had previously approved for Alaskan oil operations. On September 25, 2014, the FAA announced that it approved certain uses of drones or unmanned aircraft systems (“UAS”) in the National Airspace System for film and TV productions. This is a breakthrough for the entertainment industry because drones allow filmmakers Superman-like abilities to take images at angles never before captured. Drones are able to cover altitudes lower than helicopters but higher than cranes, and can navigate indoor areas that are otherwise difficult or impossible to get to. However, the FAA’s approval is not without restriction.

The FAA must grant permission for all non-recreational (commercial) drone flights. Thus far, FAA permission has been granted to only six aerial photo companies for film and TV production. Additionally, various safety requirements are associated with the approval process. The FAA stated that these six applicants submitted UAS flight manuals with detailed safety procedures that were a key factor in their approval. Nevertheless, the requirements leave open the opportunity for operating requests from companies in other fields. In fact, the FAA stated it is currently evaluating requests from 40 companies (allegedly including Amazon.com Inc., which desires to test prototype delivery drones at its Seattle headquarters). Meanwhile, abroad – at DHL headquarters in Germany – drones are beginning deliveries of medications and other urgent goods to the island of Juist, after securing approval from state and federal transport ministries and air traffic control authorities to operate in restricted flight areas. These are referred to as “parcelcopters,” and illustrate the widespread potential future use and capability of UAS both domestically and abroad.

Click here to read the full issued Client Alert.

UK Competition Authority acted irrationally in hotel room on-line pricing case

This post was written by Edward S. Miller and Marjorie C. Holmes.

A decision by the UK’s former competition authority, the Office of Fair Trading (OFT – now replaced by the Competition and Markets Authority (CMA)) to accept commitments to settle its investigation into on-line prices for hotel rooms has been quashed by the UK Competition Appeal Tribunal and sent back to the CMA to decide again.

As noted in a previous alert on the case, a striking feature of the commitments given to resolve the original investigation was the absence of a clear commitment regarding MFN or price parity clauses which oblige hotels to guarantee that a website is being offered the best price by the hotel. Indeed, a feature of the commitments was that, although websites would henceforward be allowed to discount room prices by sacrificing a part of their commission, the websites could be obliged to keep these deals secret by limiting them to certain classes or “clubs” of customers. Price comparison sites, such as the appellants, Skyscanner and Skoosh (also the original complainant) had made the point to the OFT that the effect of hiding these discounts was that the discounted prices would not be picked up by the search tools used by price comparison sites, thus restricting transparency and competition.

Click here to read the full issued Client Alert.

PCI Addresses Payment Security Risks with New Guidance

This post was written by Cynthia O’Donoghue and Kate Brimsted.

In August, the Payment Card Industry (“PCI”) Security Standards Council published the Third Party Security Assurance Information Supplement (“Supplement”) to help organisations reduce their risk by better understanding their respective roles in securing card data.

The Supplement was developed by the PCI Special Interest Group (“PCI SIG”) consisting of merchants, banks and third-party service providers, to help meet PCI Data Security Standard (“PCI DSS”) Requirement 12.8.

Under PCI DSS Requirement 12.8, an entity must maintain policies and procedures to ensure that service providers are securing cardholder data. In addition, under PCI DSS 3.0, effective from 1 January 2015, entities will be required to obtain a written acknowledgement of responsibility for the security of cardholder data from their service providers.

The Supplement focuses on practical recommendations to help meet the Requirements. Examples include:

  • Conducting due diligence of Third-Party Service Providers (“TPSP”)
  • Implementing a process to help organisations understand how services provided by TPSP meet the PCI DSS Requirements
  • Developing written agreements and policies and procedures
  • Monitoring TPSP compliance status

The Supplement could not come at a better time. Worldpay, a payment processor, reported in August that at least 6.57 million cards in the UK have been put at risk over the past three years as a result of security breaches. UK consumers are now becoming increasingly wary, and a survey commissioned by payments-provider PayPoint in May found that 55 percent of UK consumers view payment security as the most important factor in deciding how to pay.