Privacy & Information Security Law Blog

This week, the Securities and Exchange Commission (“SEC”) announced the creation of a new Cyber Unit that will target cyber-related threats that may impact investors. The Cyber Unit, which will be part of the SEC’s Enforcement Division, will seek to combat various types of cyber-related threats including:

On September 25, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a discussion paper on Regulating for Results: Strategies and Priorities for Leadership and Engagement (the “Discussion Paper”). The Discussion Paper aims to stimulate dialogue about strategies and priorities for data protection authorities (“DPAs”) by putting forward a number of key questions. For example:

On September 20, 2017, the French Data Protection Authority (CNIL) announced that it has updated two standards on privacy seals in order to take into account the requirements of the EU General Data Protection Regulation (“GDPR”).

On September 22, 2017, the Federal Trade Commission published the tenth blog post in its “Stick with Security” series. As previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Put procedures in place to keep your security current and address vulnerabilities that may arise, outlines how and why companies should keep their security up to date and respond quickly to credible threats.

On September 19, 2017, the French Data Protection Authority (“CNIL”) launched an online public consultation on two topics identified by the Article 29 Working Party (“Working Party”) in its 2017 action plan for the implementation of the EU General Data Protection Regulation (“GDPR”). These two topics are transparency and international data transfers.

The Federal Trade Commission will host a workshop on informational injury on December 12, 2017.  The FTC’s three main goals for hosting the workshop are to:

1. “Better identify the qualitatively different types of injury to consumers and businesses from privacy and data security incidents;”
2. “Explore frameworks for how the FTC might approach quantitatively measuring such injuries and estimate the risk of their occurrence;” and
3. “Better understand how consumers and businesses weigh these injuries and risks when evaluating the tradeoffs to sharing, collecting, storing and using information.”

Hunton & Williams LLP is pleased to announce that Lisa Sotto, chair of the firm’s top-ranked Global Privacy and Cybersecurity practice and managing partner of the firm’s New York office, has been selected as an arbitrator in connection with the EU-U.S. Privacy Shield Framework Binding Arbitration Program.

Stephen Mathias of the law firm Kochhar & Co. reports from India that in a landmark judgment delivered in August 2017, the Supreme Court of India (“Court”) unanimously held that the right to privacy is a fundamental right under the Constitution of India. The Court also delivered six separate concurring judgments, with the main judgment being delivered by four of the nine judges.

On September 18, 2017, the European Commission (“Commission”) and U.S. Department of Commerce (“Department”) kicked off their first annual joint review of the EU-U.S. Privacy Shield (“Privacy Shield”).  To aid in the review, the Department invited a few industry leaders, including Hunton & Williams’ partner Lisa J. Sotto, who chairs the firm’s Global Privacy and Cybersecurity practice and the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee, to speak about their experiences during the first year of the Privacy Shield.

On September 15, 2017, the Federal Trade Commission published the ninth blog post in its “Stick with Security” series. As previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Make sure your service providers implement reasonable security measures, highlights the importance for companies to ensure that the service providers they engage with implement reasonable security measures.

On September 8, 2017, the Council of the European Union published its proposed revisions to the draft E-Privacy Regulation (“EPR”), which was first published by the European Commission in January 2016. The revisions have been made based on written comments and discussions involving the Working Party for Telecommunications and Information Society (“WP TELE”) and serve as a discussion for further meetings of the group in late September 2017.

On September 14, 2017, the UK Government introduced a new Data Protection Bill (the “Bill”) to Parliament. The Bill is intended to replace the UK’s existing Data Protection Act 1998 and enshrine the EU General Data Protection Regulation (the “GDPR”) into UK law once the UK has left the European Union. The GDPR allows EU Member States to enact, via national law, exemptions from the various provisions of the GDPR, which the Bill also seeks to implement.

On September 13, 2017, the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy published a Joint Communication to the European Parliament and the Council of the European Union on “Resilience, Deterrence and Defence: Building strong cybersecurity for the EU” (“Joint Communication”). This Joint Communication is part of a package of EU documents adopted on the same date aimed at delivering a stronger EU response to cyber attacks. In particular, the Joint Communication puts forward targeted measures to (1) build greater EU resilience to cyber attacks, (2) better detect cyber attacks, and (3) strengthen international cooperation on cybersecurity.

On September 8, 2017, the Federal Trade Commission published the eighth blog post in its “Stick with Security” series. As previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Apply sound security practices when developing new products, outlines the importance of building security into product development from the start.

On September 11, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on the Proposal for an ePrivacy Regulation (the “White Paper”). The White Paper comments on the European Commission’s proposal to replace and modernize the privacy framework for electronic communications contained in the current ePrivacy Directive and to align it with the EU General Data Protection Regulation (“GDPR”).

On September 8, 2017, the Federal Trade Commission announced that it had settled charges against three companies for misleading consumers about their participation in the Privacy Shield framework. The FTC alleged that Decusoft, LLC, Tru Communication, Inc. and Md7, LLC violated the FTC Act by falsely claiming that they were certified to the EU-U.S. Privacy Shield, when in fact the three companies never completed the Privacy Shield certification process. In addition, Decusoft falsely claimed to be certified to the Swiss-U.S. Privacy Shield. This marks the first enforcement action brought by the FTC pursuant to the Privacy Shield.

On September 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued an announcement containing disaster preparedness and recovery guidance in advance of Hurricane Irma. The announcement follows a bulletin issued in late August during Hurricane Harvey that addressed how protected health information (“PHI”) can be shared during emergencies. Together, these communications underscore key privacy and security issues for entities covered by HIPAA to help them protect individuals’ health information before, during and after emergency situations.

On September 5, 2017, the FTC announced that Lenovo, Inc. (“Lenovo”) agreed to settle charges that its preloaded software on some laptop computers compromised online security protections in order to deliver advertisements to consumers. The settlement agreement (the “Settlement”) is between Lenovo, the FTC and 32 State Attorneys General. 

On August 31, 2017, the National Information Security Standardization Technical Committee of China published four draft voluntary guidelines (“Draft Guidelines”) in relation to the Cybersecurity Law of China. The Draft Guidelines are open for comment from the general public until October 13, 2017.

On September 1, 2017, the FTC published the seventh blog post in its “Stick with Security” series. As we previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Secure remote access to your network, outlines important security measures businesses should take to ensure that outside entryways to their systems are sensibly defended.