On April 26, 2011, Sony Computer Entertainment America (“Sony”) disclosed an information security breach that may affect up to 77 million consumers. On Sony’s PlayStation blog, Patrick Seybold, Senior Director of Corporate Communications and Social Media, wrote that an unauthorized person intruded into Sony’s PlayStation Network and Qriocity streaming music and video service between April 17 and April 19, 2011, and may have obtained users’ names, addresses, email address, birthdates, passwords and logins. Mr. Seybold wrote that “out of an abundance of caution” Sony was advising its users that their credit card information also may have been obtained. The blog post also noted that Sony is taking steps to address the breach, which include (1) turning off PlayStation Network and Qriocity services, (2) engaging an external security firm to investigate the incident, and (3) enhancing information security and strengthening its network infrastructure. Sony further advised users to “review your account statements and to monitor your credit reports,” and provided the contact information for the three major credit bureaus in the United States.
On April 26, 2011, the French Data Protection Authority (the “CNIL”) issued a press release unveiling its inspection goals for the coming year. In a report adopted on March 24, 2011, the CNIL indicated that it intends to conduct at least 400 inspections in France (100 more than the 2010 goal), with a special focus on the following issues:
As part of an effort to increase penalties for violations of the country’s Personal Information Protection Act, officials in Japan plan to extend liability under that law to individual employees, according to recent reports in The Yomiuri Shimbun and The Japan Times. Currently, a company that violates the law may be fined or ordered to take remedial steps, and the company head may be imprisoned. The law revision would come as part of changes to the legal framework accompanying a proposed national identification number system ...
On April 11, 2011, the United States District Court for the Northern District of California declined to dismiss four of the nine claims in a class action lawsuit filed against RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites. The suit stems from a December 2009 security breach caused by an SQL injection flaw that resulted in the exposure of unencrypted user names and passwords of approximately 32 million RockYou users. RockYou subsequently fixed the error and acknowledged in a public statement that “one or more individuals had illegally breached its databases” and that “at the time of the breach, the hacked database had not been up to date with industry standard security protocols.” After receiving notification of the security breach from RockYou in mid-December, on December 28, 2009, a RockYou user who had signed up for a photo-sharing application filed a complaint seeking injunctive relief and damages for himself and on behalf of all other similarly-situated individuals.
On April 14, 2011, the European Advertising Standards Alliance (“EASA”) and IAB Europe released complementary new self-regulatory standards for online behavioral advertising. This cross-industry initiative is aimed at enhancing European consumers’ control over their data and ensuring transparency, particularly with respect to advertisements that are delivered using third party online behavioral advertising.
On April 18, 2011, the European Commission (the “Commission”) adopted an Evaluation Report on the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”).
The Data Retention Directive requires that, for law enforcement purposes, telecommunications service and network providers (“Operators”) must retain certain categories of telecommunications data (excluding the content of the communication) for not less than six months and not more than two years. To date, most of the EU Member States have implemented the Data Retention Directive, but Czech Republic, Germany and Romania no longer have implementing laws in place because their constitutional courts have annulled the implementing laws as unconstitutional.
On April 5, 2011, Lisa Sotto, partner and head of the Privacy and Data Security practice at Hunton & Williams LLP, discussed the Epsilon email breach in an interview with Tracy Kitten of Information Security Media Group. The interview covered issues such as data protection requirements for sensitive consumer data, steps companies should take to protect data and lessons to be learned from the breach. Download the podcast now.
On April 4, 2011, the Article 29 Working Party (the “Working Party”) issued an Opinion to clarify the legal framework applicable to smart metering technology in the energy sector (the “Opinion”).
Smart meters are digital meters that record energy consumption and enable two-way remote communication with the wider network for purposes such as monitoring and billing, and to forecast energy demand. Smart meters are intended to allow the industry to better regulate energy supply, and to help individuals reduce consumption. According to the Working Party, however, the analysis and exchange of smart metering information has the potential to be privacy-invasive.
On April 15, 2011, the United Kingdom’s Department for Culture, Media and Sport (“DCMS”) announced that the UK will adopt the new EU rules on cookies without “gold-plating” the regulations by imposing additional national requirements, to help ensure that British companies can compete with the rest of Europe. As we previously reported, the UK government had reassured businesses that it would carry out the implementation in a manner that would minimize the impact on businesses and consumers.
On April 5, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the current EU personal data breach framework and recommendations for future policy developments (the “Opinion”).
In 2009, the revised e-Privacy Directive 2002/58/EC (the “e-Privacy Directive”) introduced a mandatory data breach notification regime for the telecommunications sector. Pursuant to the e-Privacy Directive, telecommunications and internet service providers are required to report certain data breaches to their national regulator and to affected individuals.
On April 13, 2011, Representative Cliff Stearns (R-FL) introduced the Consumer Privacy Protection Act of 2011 (the “Act”), which seeks to “protect and enhance consumer privacy” both online and offline by imposing certain notice and choice requirements with respect to the collection and use of personal information.
On April 4, 2011, the Article 29 Working Party (the “Working Party”) issued an Opinion finding that New Zealand ensures an adequate level of data protection within the meaning of the EU Data Protection Directive 95/46/EC (the “Data Protection Directive”). The Working Party’s assessment in the Opinion focuses on the New Zealand Privacy Act 1993 and is based primarily on a comparison of the Act and relevant case law, against the provisions of the Data Protection Directive.
On April 6, 2011, the European Commission (“the Commission”) signed a voluntary agreement with private and public stakeholders to establish data protection guidelines for companies that use radio frequency identification device (“RFID”) technology within Europe.
The agreement, entitled “Privacy and Data Protection Impact Assessment Framework for RFID Applications” (the “Framework”) requires companies to conduct privacy impact assessments for all RFID applications they implement and to take measures to address identified data protection risks before those applications are deployed in the market. Reports of the completed privacy impact assessments must be made available to the national data protection authorities. The Framework, which was designed in close cooperation with the European Network and Information Security Agency after consultation with the Article 29 Working Party, provides the first clear, comprehensive methodology that can be applied across all industry sectors to assess and mitigate RFID-related privacy risks. It is intended both to assure companies that their use of RFID technology is compatible with European data protection legislation, and to enhance privacy protections for European citizens and consumers.
On April 12, 2011, U.S. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011 (the “Act”) to “establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission.” The bill applies broadly to entities that collect, use, transfer or store the “covered information” of more than 5,000 individuals over a consecutive 12-month period. Certain provisions of the bill would direct the FTC to initiate rulemaking proceedings within specified timeframes, but the bill also imposes requirements directly on covered entities.
On April 7, 2011, the Securities and Exchange Commission announced a settlement involving three former brokerage firm executives charged with “failing to protect confidential information about their customers.” According to the announcement, “this is the first time that the SEC has assessed financial penalties against individuals charged solely with violations of Regulation S-P.” Regulation S-P mandates that financial firms safeguard their customers’ confidential information and prevent its release to unaffiliated third parties without authorization.
On April 6, 2011, the European Commission formally requested that Germany immediately comply with a March 9, 2010 judgment (C-518/07) by the European Court of Justice (the “Court”) concerning the independence of German data protection authorities (“DPAs”).
As we previously reported, the Court ruled in March 2010 that Germany had failed to properly implement the requirement that DPAs are to act with “complete independence” in exercising the functions entrusted to them, as explicitly provided by the EU Data Protection Directive 95/46/EC. According to the Commission, 15 out of Germany’s 16 federal states have not yet undertaken any action to rectify the violation identified in the Court’s judgment. In its formal notice letter, the Commission ordered Germany to comply with the Court’s judgment within two months or risk a fine or penalty imposed by the Court.
On April 1, 2011, Epsilon Data Management, LLC (“Epsilon”), a leading marketing services provider based in Irving, Texas, issued a press release announcing that its clients’ customer data had been “exposed by an unauthorized entry into Epsilon’s email system” that took place on March 30, 2011. In the press release, Epsilon indicated that the information acquired as a result of the incident was limited to email addresses and customer names. Several major retailers, credit card issuers, financial institutions and other companies that use Epsilon as a service provider ...
Mexico’s Ministry of Economy and Federal Institute for Access to Information and Data Protection (the “IFAI”) will issue the first set of regulations implementing Mexico's new private sector data protection law the week of April 11, 2011. These first regulations will cover the legal requirements to provide privacy notices to consumers and to appoint a designated privacy official, which go into effect in July 2011. The two agencies want to ensure that the private sector has adequate time to prepare appropriate privacy notices prior to the July effective date. The balance of the law, granting individual participation rights to consumers, becomes effective in January 2012.
As reported in BNA’s Privacy Law Watch, on March 29, 2011, South Korea’s president approved the Act on the Protection of Personal Data. This comprehensive privacy law will require nearly all businesses and government agencies to provide data breach protection, mandate the use of privacy assessments before establishing certain new databases, and establish a right to file class actions in court over alleged violations of the law. The implementing rules will be worked out before the law is due to take effect on September 30, 2011. South Korea first attempted to enact a comprehensive privacy law in 2004; however, for the past seven years, omnibus privacy bills sponsored by the government and lawmakers have stalled in Parliament.
As reported in BNA’s Privacy Law Watch, on April 1, 2011, a New York law went in effect requiring manufacturers of certain electronic equipment, including devices that have hard drives capable of storing personal information or other confidential data, to register with the Department of Environmental Conservation and maintain an electronic waste acceptance program. The program must include convenient methods for consumers to return electronic waste to the manufacturer and instructions on how consumers can destroy data on the devices before recycling or disposing of them. Retailers of covered electronic equipment will be required to provide consumers with information at the point of sale about opportunities offered by manufacturers for the return of electronic waste, to the extent they have been provided such information by the manufacturer.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code