Privacy & Information Security Law Blog

Hunton & Williams LLP proudly announces that the firm’s Global Privacy and Cybersecurity practice was ranked in Tier 1 in The Legal 500 United States 2014 guide for cyber crime and data protection and privacy. Global practice chair Lisa Sotto also was ranked as a leading lawyer and partner Aaron Simpson was highlighted for his work on privacy and cybersecurity matters.

The Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) has published a white paper entitled A Risk-based Approach to Privacy: Improving Effectiveness in Practice. This is the first paper in the Centre’s new multi-year Privacy Risk Framework Project. It follows the Centre’s March 2014 Risk Workshop, held in Paris with Centre members, privacy experts, regulators and other stakeholders. The Risk Framework Project is the next phase of the Centre’s earlier work on organizational accountability, focusing specifically on one important aspect of accountability – conducting risk assessments that identify, evaluate and mitigate the privacy risks to individuals posed by an organization’s proposed data processing.

On June 18, 2014, the German state data protection authorities responsible for the private sector (the Düsseldorfer Kreis) issued guidelines concerning the data protection requirements for app developers and app publishers (the “Guidelines”). The Guidelines were prepared by the Bavarian state data protection authority and cover requirements in Germany’s Telemedia Act as well as the Federal Data Protection Act. Topics addressed in the 33-page document include:

On June 25, 2014, U.S. Attorney General Eric Holder announced that the Obama Administration is looking to pass legislation that would provide EU citizens with a right to judicial redress in U.S. courts if their personal information that was shared for law enforcement purposes is later intentionally or wilfully disclosed. The announcement was made during the EU-U.S. Ministerial Meeting on Justice and Home Affairs in Athens, Greece, which was co-chaired by the Attorney General and aimed to advance EU-U.S. cooperation in efforts to stop transnational crime and terrorism. The announcement also relates to the ongoing negotiations of the new “umbrella” EU-U.S. Data Protection and Privacy Agreement (“DPPA”).

On June 25, 2014, the United States Supreme Court issued a unanimous opinion in Riley v. California, holding 9-0 that law enforcement personnel cannot search detained suspects’ cell phones without a warrant. Writing for the Court, Chief Justice John Roberts found that the practice of searching cell phones implicates “substantially greater” individual privacy interests than other physical objects that may be found on an arrestee and deserves heightened protections. Roberts stated:

On June 23, 2014, the Article 29 Working Party (the “Working Party”) published its Opinion 7/2014 on the protection of personal data in Québec (the “Opinion”). In this Opinion, the Working Party provides its recommendations to the European Commission on whether the relevant provisions of the Civil Code of Québec and the Québec Act on the Protection of Personal Information in the Private Sector (the “Québec Privacy Act”) ensure an adequate level of protection for international data transfers in accordance with the EU Data Protection Directive 95/46/EC (the “Directive”). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an adequate level of data protection.

On June 19, 2014, the President’s Export Council (“PEC”) held a meeting to discuss nine key issues, including the effects of foreign laws that restrict cross-border data flows. At the meeting, the private sector members of the PEC submitted a recommendation letter to President Obama expressing their concern about the threat to American business from protectionist, cross-border data transfer restrictions imposed by foreign countries. The letter describes how certain governments are implementing “digital protectionism” in the form of laws and policies restricting the cross-border flow of data (for example, by requiring domestic processing and storage of data citing concerns for personal privacy and national security). These foreign laws may limit the ability of American businesses, particularly small- and medium-sized businesses, to expand their business operations to include countries that enact such measures.

On June 23, 2014, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $800,000 settlement with Parkview Health System, Inc. (“Parkview”) following a complaint involving patient medical records that were dumped by Parkview employees and left unattended on a physician’s driveway.

Cyber incidents have become more common — and more severe — in recent years. Like other federal agencies, the Securities and Exchange Commission (“Commission”) has recently been analyzing the applicability of its existing regulations relating to cybersecurity risks. The Commission’s efforts are focused on maintaining the integrity of market systems, protecting customer data and the disclosure of material information. We provide an overview of recent developments in public company cybersecurity disclosure of particular interest to public companies.

On June 2, 2014, the U.S. Department of Justice announced a U.S.-led multinational effort to disrupt the “Gameover Zeus” botnet and the malware known as “Cryptolocker.” The DOJ also unsealed charges filed in Pittsburgh, Pennsylvania and Omaha, Nebraska against an administrator of Gameover Zeus.

In response to increasing interest in a “risk-based” approach among privacy experts, including policymakers working on the proposed EU General Data Protection Regulation, the Article 29 Working Party (the “Working Party”) published a statement on the role of a risk-based approach in data protection legal frameworks (the “Statement”).

On June 12, 2014, Connecticut Governor Dannel Malloy signed a bill into law that may require retailers to modify their existing Health Insurance Portability and Accountability Act (“HIPAA”) authorizations for pharmacy reward programs. The law, which will become effective on July 1, 2014, obligates retailers to provide consumers with a “plain language summary of the terms and conditions” of their pharmacy reward programs before the consumers may enroll. It also requires retailers to include specific content in their authorization forms that are required pursuant to the HIPAA. If the consumer is required to sign a HIPAA authorization to participate in a pharmacy reward program, the authorization must include the following items “adjacent to the point where the HIPAA authorization form is to be signed:”

It seems that every week brings news that another company has been impacted by a major data breach – and of the resulting financial, legal and public relations costs. As companies seek out ways to prevent these events and recoup losses associated with a data breach, cyber insurance is increasingly discussed as an effective method of recovery. In a recent article published in the Daily Journal, Hunton & Williams’ Insurance Coverage Counseling and Litigation attorney William T. Um offers a primer on cyber insurance, outlining key considerations for businesses as they explore this emerging area of coverage. The article discusses how:

On June 6, 2014, Viviane Reding, Vice-President of the European Commission and EU Commissioner for Justice, outlined the progress that has been made with respect to the proposed EU General Data Protection Regulation (the “Proposed Regulation”) in a meeting of the Council of the European Union, acting through the Justice Council (the “Council”). In particular, the Council has agreed on two important aspects of the Proposed Regulation.

On June 5, 2014, new OpenSSL vulnerabilities were announced, including one vulnerability that permits man-in-the-middle attacks and another that allows attackers to run arbitrary code on vulnerable devices. These vulnerabilities, along with the previously-discovered Heartbleed bug, show that technological solutions alone may not eliminate cyber risk.

On June 3 and 4, 2014, the Article 29 Working Party held a meeting to discuss the consequences of the European Court of Justice’s May 13, 2014 judgment in Costeja, which is widely described as providing a “right to be forgotten.” Google gave effect to the Costeja decision by posting a web form that enables individuals to request the removal of URLs from the results of Google searches that include that individual’s name. The Working Party announced that it welcomed Google’s initiative, but pointed out that it is “too early to comment on whether the form is entirely satisfactory.” The Working Party also announced that it will prepare guidelines to ensure a common approach to the implementation of Costeja by the national data protection authorities. Finally, the Working Party called on search engine operators to implement user-friendly processes that enable users to exercise their right to deletion of search result links containing their personal data.

On June 4, 2014, the U.S. Government Accountability Office (“GAO”) testified before the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law on GAO’s findings regarding (1) companies’ use and sharing of consumer location data, (2) privacy risks associated with the collection of location data, and (3) actions taken by certain companies and federal agencies to protect the privacy of location data. GAO’s testimony relates to its 2012 and 2013 reports that examined the collection of location data by certain mobile industry companies and in-car navigation providers.