Privacy & Information Security Law Blog

Recently, the General Services Administration (“GSA”) announced its plan to upgrade its cybersecurity requirements in an effort to build upon the Department of Defense’s new cybersecurity requirements, DFAR Section 252.204-7012, that became effective on December 31, 2017.

On January 30, 2018, the UK Court of Appeal ruled that the Data Retention and Investigatory Powers Act (“DRIPA”) was inconsistent with EU law. The judgment, pertaining to the now-expired act, is relevant to current UK surveillance practices and is likely to result in major amendments to the Investigatory Powers Act (“IP Act”), the successor of DRIPA.

On January 23, 2018, the New York Attorney General announced that Aetna Inc. (“Aetna”) agreed to pay $1.15 million and enhance its privacy practices following an investigation alleging it risked revealing the HIV status of 2,460 New York residents by mailing them information in transparent window envelopes. In July 2017, Aetna sent HIV patients information on how to fill their prescriptions using envelopes with large clear plastic windows, through which patient names, addresses, claims numbers and medication instructions were visible. Through this, the HIV status of some patients was visible to third parties. The letters were sent to notify members of a class action lawsuit that, pursuant to that suit’s resolution, they could purchase HIV medications at physical pharmacy locations, rather than via mail order delivery.

On January 23, 2018, multinational consulting firm Capgemini interviewed Bojana Bellamy, President of the Centre for Information Policy Leadership at Hunton & Williams, for their “Jane Meets” video series with the Chief Information Security Officer (“CISO”). Bellamy spoke with the CISO of Capgemini about companies’ readiness to comply with the EU General Data Protection Regulation (“GDPR”). In response to a question about the key responsibilities of a CISO in GDPR compliance, Bellamy said, “…where I see great involvement for CISO also is in ensuring that the company is ready to deal with security breaches. So it’s not just about preventing the breach, which is obvious, but it’s also about readiness to deal with the breach and readiness to then manage the breach and notify individuals and regulators, because that is what [the] GDPR requires.”

On January 25, 2018, the Standardization Administration of China published the full text of the Information Security Technology – Personal Information Security Specification (the “Specification”). The Specification will come into effect on May 1, 2018. The Specification is voluntary, but could become influential within China because it establishes benchmarks for the processing of personal information by a wide variety of entities and organizations. In effect, the Specification constitutes a best practices guide for the collection, retention, use, sharing and transfer of personal information, and for the handling of related information security incidents.

On January 18, 2018, the Federal Energy Regulatory Commission (“FERC”) issued a Notice of Proposed Rulemaking (“NOPR”) that proposes the adoption of new mandatory Reliability Standards designed to mitigate cybersecurity risk in the supply chain for electric grid-related cyber systems. The Reliability Standards were developed by the North American Electric Reliability Corporation (“NERC”) in response to FERC Order No. 829, which ordered the development of standards to address supply chain risk management for industrial control system hardware, software and computing and networking services.

On January 24, 2018, the European Commission issued a communication to the European Parliament and the Council (the “Communication”) on the direct application of the EU General Data Protection Regulation (“GDPR”). The Communication (1) recounts novel elements of the GDPR that create stronger protections for individuals and new opportunities for organizations; (2) reviews preparatory work undertaken to date for GDPR implementation; (3) outlines remaining steps for successful preparation; and (4) outlines measures the European Commission intends to take up until May 25, 2018.

On January 22, 2018, the New York Department of Financial Services (“NYDFS”) issued a press release reminding entities covered by its cybersecurity regulation that the first certification of compliance with the regulation is due on or prior to February 15, 2018. Covered entities must file the certification, which covers the 2017 calendar year, at the NYDFS online portal.

On January 18, 2018, Hunton & Williams LLP’s retail industry lawyers, composed of more than 100 lawyers across practices, released their annual Retail Year in Review publication. The Retail Year in Review includes several articles authored by our Global Privacy and Cybersecurity lawyers, and touches on many topics of interest including blockchain, ransomware, cyber insurance and the Internet of Things.

Read the full publication.

On January 18, 2018, the Federal Trade Commission (“FTC”) released its 2017 Privacy & Data Security Update (the “Report”). The annual Report, which summarizes the privacy and data security-related activities conducted by the FTC over the past year, is broken down into five key areas: (1) enforcement; (2) advocacy; (3) workshops; (4) reports and surveys; (5) consumer education and business guidance; and (6) international engagement.

Read the full Report.

Hunton & Williams LLP is pleased to announce that Richard Thomas, Global Strategy Advisor to the Centre for Information Policy Leadership, has been appointed by the UK Prime Minister to serve as a member of its Advisory Committee on Business Appointments (“ACOBA”), effective February 1, 2018.

On January 10, 2018, the Law of 3 December 2017 creating the Data Protection Authority (the “Law”) was published in the Belgian Official Gazette. The Law was submitted in the Chamber of Representatives on August 23, 2017, and was approved by the Parliament in plenary meeting on November 16, 2017.

On January 8, 2017, the UK Information Commissioner (“ICO”) issued an unprecedented monetary penalty of £400,000 against British mobile phone retailer, The Car Phone Warehouse Limited. Following an attack on their system in 2015, the ICO found that the company had failed to take adequate steps to protect the personal data it held on its system.

On January 9, 2018, the FTC issued a paper recapping the key takeaways from the FTC’s and National Highway Traffic Safety Administration’s June 2017 workshop on privacy and security issues involving connected cars. The workshop featured representatives from consumer groups, industry, government and academia.

On January 8, 2018, the FTC announced an agreement with electronic toy manufacturer, VTech Electronics Limited and its U.S. subsidiary, settling charges that VTech violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting personal information from hundreds of thousands of children without providing direct notice or obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected. Under the agreement, VTech will (1) pay a $650,000 civil penalty; (2) implement a comprehensive data security program, subject to ...