On January 4, 2017, the National Institute of Standards and Technology (“NIST”) announced the final release of NISTIR 8062, An Introduction to Privacy Engineering and Risk Management in Federal Systems. NISTIR 8062 describes the concept of applying systems engineering practices to privacy and sets forth a model for conducting privacy risk assessments on federal systems. According to the NIST, NISTIR 8062 “hardens the way we treat privacy, moving us one step closer to making privacy more science than art.”
On January 3, 2017, the Office of Management and Budget (“OMB”) issued a memorandum (the “Breach Memorandum”) advising federal agencies on how to prepare for and respond to a breach of personally identifiable information (“PII”). The Breach Memorandum, which is intended for each agency’s Senior Agency Official for Privacy (“SAOP”), updates OMB’s breach notification policies and guidelines in accordance with the Federal Information Security Modernization Act of 2014 (“FISMA”).
On December 21, 2016, the Financial Industry Regulatory Authority (“FINRA”) announced that it had fined 12 financial institutions a total of $14.4 million for improper storage of electronic broker-dealer and customer records. Federal securities law and FINRA rules require that business-related electronic records be kept in “write once, read many” (“WORM”) format, which prevents alteration or destruction. FINRA found that the 12 sanctioned firms had failed to store such records in WORM format, in many cases for extended periods of time.
On December 28, 2016, the New York State Department of Financial Services (“DFS”) announced an updated version of its cybersecurity regulation for financial institutions (the “Updated Regulation”). The Updated Regulation will become effective on March 1, 2017.
On December 21, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Risk, High Risk, Risk Assessments and Data Protection Impact Assessments under the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the EU General Data Protection Regulation’s (“GDPR's”) provisions relating to risk and risk assessment, which will become applicable on May 25, 2018. While risk assessments already are required under the EU Data Protection Directive, the GDPR broadens the relevance of risk and risk assessment by explicitly and comprehensively incorporating a risk-based approach to data protection.
On November 19, 2016, the French government enacted a bill creating a legal basis for class actions against data controllers and processors resulting from data protection violations. The bill, which aims to facilitate access to justice for French citizens, establishes a general class action regime and includes specific provisions regarding data protection violations. These provisions go beyond the class action provisions already in place for consumers by adding, within the context of the French Data Protection Act of 1978 (“Loi Informatique et Libertés”), a right to class actions for data protection violations regardless of industry sector.
On November 23, 2016, Bloomberg BNA reported that the Hague Administrative Court in the Netherlands upheld a decision by the Dutch Data Protection Authority that WhatsApp was in breach of the Dutch Data Protection Act (the “Act”) on account of its alleged failure to identify a representative within the country responsible for compliance with the Act, despite the processing of personal data of Dutch WhatsApp users on Dutch smartphones. WhatsApp reportedly faces a fine of €10,000 per day up to a maximum of €1 million ...
On November 17, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the GDPR’s provisions relating to the role of the Data Protection Officer (“DPO”).
On November 14, 2016, Lincoln Financial Securities Corp. (“LFS”), a subsidiary of Lincoln Financial Group, entered into a settlement (the “Settlement”) with the Financial Industry Regulatory Authority (“FINRA”), requiring LFS to pay a $650,000 fine and implement stronger cybersecurity protocols following a 2012 hack into its cloud-based server.
On November 9, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP and AvePoint released the results of a joint global survey launched in May 2016 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). The GDPR replaces Directive 95/46/EC and will become applicable in May 2018.
On October 25, 2016, the United States Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued an advisory entitled Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (the “Advisory”), to help financial institutions understand how to fulfill their Bank Secrecy Act obligations with regard to cyber events and cyber-enabled crime. The Advisory indicates that SAR reporting is mandatory for cyber events where the financial institution “knows, suspects or has reason to suspect a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions….” Implementing this new guidance will require increased collaboration between AML and cybersecurity or IT departments in large institutions, and may create challenges for smaller banks that are more likely to outsource their cybersecurity functions.
On October 7, 2016, the French Digital Republic Bill (the “Bill”) was enacted after a final vote from the Senate. The Bill aligns the French legal data protection framework with the EU General Data Protection Regulation (“GDPR”) requirements before the GDPR becomes applicable in May 2018.
The National Highway Safety Administration (“NHTSA”) recently issued non-binding guidance that outlines best practices for automobile manufacturers to address automobile cybersecurity. The guidance, entitled Cybersecurity Best Practices for Modern Vehicles (the “Cybersecurity Guidance”), was recently previewed in correspondence with the House of Representatives' Committee on Energy and Commerce (“Energy and Commerce Committee”).
On October 14, 2016, the National Highway Transportation Administration (“NHTSA”) indicated in a letter to Congress that it intends to issue new best practices on vehicle cybersecurity. This letter came in response to an earlier request from the House Committee on Energy and Commerce (“Energy and Commerce Committee”) that NHTSA convene an industry-wide effort to develop a plan to address vulnerabilities posed to vehicles by On-Board Diagnostics (“OBD-II”) ports. Since 1994, the Environmental Protection Agency has required OBD-II ports be installed in all vehicles so that they can be tested for compliance with the Clean Air Act. OBD-II ports provide valuable vehicle diagnostic information and allow for aftermarket devices providing services such as “good driver” insurance benefits and vehicle tracking. Because OBD-II ports provide direct access to a vehicle’s internal network; however, OBD-II ports are widely cited as the central vulnerability to vehicle cybersecurity.
On October 11, 2016, Group of Seven (“G-7”) financial leaders endorsed the Fundamental Elements of Cybersecurity for the Financial Sector (“Best Practices”), a set of non-binding best practices for banks and financial institutions to address cybersecurity threats. The endorsement was motivated by recent large hacks on international banks, including the February 2016 theft of $81 million from the central bank of Bangladesh’s account at the New York Federal Reserve.
In September, the Centre for Information Policy Leadership (“CIPL”) held its second GDPR Workshop in Paris as part of its two-year GDPR Implementation Project. The purpose of the project is to provide a forum for stakeholders to promote EU-wide consistency in implementing the GDPR, encourage forward-thinking and future-proof interpretations of key GDPR provisions, develop and share relevant best practices, and foster a culture of trust and collaboration between regulators and industry.
On October 3, 2016, at the Paris Motor Show, the French Data Protection Authority ("CNIL") reported on the progress of a new compliance pack on connected vehicles. The work was launched on March 23, 2016, and should be finalized in Spring 2017.
On September 27, 2016, Cloud Infrastructure Services Providers in Europe (“CISPE”) published its Data Protection Code of Conduct (the “Code”). CISPE, a relatively new coalition of more than 20 cloud infrastructure providers with operations in Europe, has focused the Code on transparency and compliance with EU data protection laws.
On September 27, 2016, the French Data Protection Authority (“CNIL”) announced the adoption of two new decisions, Single Authorizations AU-052 and AU-053, that will now cover all biometric access control systems in the workplace. These two new decisions repeal and replace the previous biometric decisions adopted by the CNIL and lay down the CNIL’s new position on biometric systems used to control access to the premises, software applications and/or devices in the workplace.
On September 22, 2016, Korean law firm Bae, Kim & Lee LLC released a Legal Update outlining amendments to Korea’s Personal Information Protection Act (“PIPA”) and the Act on the Promotion of IT Network Use and Information Protection (“IT Network Act”).
On September 20, 2016, the Department of Transportation, through the National Highway Traffic Safety Administration (“NHTSA”), released federal cyber guidance for autonomous cars entitled Federal Automated Vehicles Policy (“guidance”).
Recently, the National Privacy Commission (the “Commission”) of the Philippines published the final text of its Implementing Rules and Regulations of Republic Act No. 10173, known as the Data Privacy Act of 2012 (the “IRR”). The IRR has a promulgation date of August 24, 2016, and went into effect 15 days after the publication in the official Gazette.
The Office of Management and Budget (“OMB”) recently issued updates to Circular A-130 covering the management of federal information resources. OMB revised Circular A-130 “to reflect changes in law and advances in technology, as well as to ensure consistency with Executive Orders, Presidential Directives, and other OMB policy.” The revised policies are intended to transform how privacy is addressed across the branches of the federal government.
On August 4, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Advocate Health Care Network (“Advocate”), the largest health care system in Illinois, over alleged HIPAA violations. The $5.5 million settlement with Advocate is the largest settlement to date against a single covered entity.
On July 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into resolution agreements with two large public health centers, Oregon Health & Science University (“OHSU”) and the University of Mississippi Medical Center (“UMMC”), over alleged HIPAA violations.
On July 20, 2016, the French Data Protection Authority (“CNIL”) announced that it issued a formal notice to Microsoft Corporation (“Microsoft”) about Windows 10, ordering Microsoft to comply with the French Data Protection Act within three months.
Background
Following the launch of Microsoft’s new operation system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties that Microsoft could collect excessive personal data via Windows 10. A group composed of several EU data protection authorities was created within the Article 29 Working Party to examine the issue and conduct investigations in their relevant EU Member States. The CNIL initiated its investigation and carried out seven online inspections in April and June 2016. The CNIL also questioned Microsoft on certain points of its privacy statement.
On July 12, 2016, after months of negotiations and criticism, the EU-U.S. Privacy Shield (“Privacy Shield”) was officially adopted by the European Commission and the Department of Commerce. Similar to the Safe Harbor, companies must certify their compliance with the seven principles comprising the Privacy Shield to use the Shield as a valid data transfer mechanism. Hunton & Williams partner Lisa J. Sotto and associate Chris D. Hydak recently published an article in Law360 entitled “The EU-U.S. Privacy Shield: A How-To Guide.” In the article, Lisa and Chris detail the ...
On July 26, 2016, the U.S. Department of Commerce announced that it has launched a new website that provides individuals and companies with additional information regarding the EU-U.S. Privacy Shield Framework (“Privacy Shield”). Among other things, the website provides information about complying with, and self-certifying to, the Privacy Shield’s principles. The Department of Commerce’s website will begin accepting certifications on August 1, 2016.
This post has been updated.
On July 14, 2016, the U.S. Court of Appeals for the Second Circuit held that Microsoft Corporation (“Microsoft”) cannot be compelled to turn over customer emails stored abroad to U.S. law enforcement authorities.
On July 14, 2016, the Federal Trade Commission issued warning letters to 28 companies relating to apparent false claims of participation in the APEC Cross-Border Privacy Rules (“CBPR”).
The warning letters state that the companies’ websites represent APEC CBPR certification even though the companies do not appear to have undertaken the necessary steps to claim certification, such as a review and approval process by an APEC-recognized Accountability Agent.
On July 6, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on video surveillance under the EU General Data Protection Regulation (“GDPR”).
This paper is part of a series of papers that the Bavarian DPA will issue periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasized that these papers are non-binding.
On June 30, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had settled potential HIPAA Security Rule violations with Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”). This is the first enforcement action OCR has taken against a business associate since the HIPAA Omnibus Rule was enacted in 2013. The HIPAA Omnibus Rule made business associates directly liable for their violations of the HIPAA rules. The settlement with CHCS is also notable because it involved a breach that affected fewer than 500 individuals.
On June 28, 2016, the State Internet Information Office of the People’s Republic of China published the Administrative Provisions on Information Services for Mobile Internet Applications (the “App Administrative Provisions”). This is the first regulation that expressly regulates mobile apps in the People’s Republic of China. Before the App Administrative Provisions were published, the P.R.C. Ministry of Industry and Information Technology had published a draft of the Interim Provisions on the Preinstallation and Management of the Distribution of Mobile Intelligent Terminal Applications (“Interim Provisions”). The comment period for the Interim Provisions draft expired six months ago and i’s still uncertain when it will become effective. According to unofficial statistics, domestic app stores have more than 4 million apps in inventory presently, and the number is growing. Those apps will now become highly regulated products under the App Administrative Provisions.
On June 29, 2016, the Federal Trade Commission announced that, to account for inflation, it is increasing the civil penalty maximums for certain violations of the FTC Act effective August 1, 2016. The FTC’s authority for issuing these adjustments comes from the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The Federal Register Notice indicates which sections of the FTC Act the adjustments will apply to, and the corresponding increases. For example, the FTC has increased the maximum fine from $16,000 to $40,000 for certain violations of Section 5 of ...
This post has been updated.
On June 17, 2016, the National Privacy Commission (the “Commission”) of the Philippines released draft guidelines entitled, Implementing Rules and Regulations of the Data Privacy Act of 2012 (“IRR”), for public consultation.
Under the IRR, the processing of personal data has to adhere to the principles of transparency, legitimate purpose and proportionality. The IRR defines personal data as personal information, sensitive information and privileged information. Sensitive information refers to personal information about an individual’s race, ethnicity, health, education, genetic or sexual life of a person, proceedings related to an offense committed by a person, health records and tax returns. According to the IRR, the personal information controller should take organizational, physical and technical security measures for data protection. Such security measures include the designation of a privacy officer, limitations on physical access and the adoption of technical and logical security measures.
With the EU General Data Protection Regulation (“GDPR”) enacted and due to come into force in May 2018, the Centre for Information Policy Leadership at Hunton & Williams and AvePoint have launched a global survey to enable organizations to benchmark their readiness for the GDPR. The survey focuses on the key areas of impact and change for organizations under the GDPR, such as consent, legitimate interest, data portability, profiling, privacy impact assessments, DPOs, data transfers and privacy management program.
On June 22, 2016, the Federal Trade Commission announced a settlement with Singaporean-based mobile advertising network, InMobi, resolving charges that the company deceptively tracked hundreds of millions of consumers’ locations, including children, without their knowledge or consent. Among other requirements, the settlement orders the company to pay $950,000 in civil penalties.
On June 22, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on certifications under Article 42 of the General Data Protection Regulation (“GDPR”). The GDPR will become effective on May 25, 2018.
This paper is part of a series of papers that the Bavarian DPA will be issuing periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasizes that these papers are non-binding.
TCCWNA. The very acronym evokes head scratches and sighs of angst and frustration among many lawyers in the retail industry. You have probably heard about it. You may have even been warned about it. And you may currently be trying to figure out how best to minimize your risk and exposure this very moment. But what is it and why has virtually every retailer been hit with a TCCWNA class action demand letter or lawsuit in the past few months? And why are most retailers scrambling to update the terms and conditions of their websites?
As we previously reported, the Supreme Court’s decision in Spokeo v. Robins has been nearly universally lauded by defense counsel as a new bulwark against class actions alleging technical violations of federal statutes. It may be that. But Spokeo also poses a significant threat to defendants by defeating their ability to remove exactly the types of cases that defendants most want in federal court. The decision circumscribes the federal jurisdiction, with all its advantages, that defendants have enjoyed under Class Action Fairness Act (“CAFA”) for the past decade.
On May 19, 2016, the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) announced that its multistakeholder process to develop best practices to address privacy, transparency and accountability issues related to private and commercial use of unmanned aircraft systems (“UAS”) had concluded with the group reaching a consensus on a best practices document. As we previously reported, the NTIA announced in March 2015 the multistakeholder process in response to a Presidential Memorandum issued by the White House in February 2015, which directed NTIA to facilitate discussion between private sector entities to develop standards for commercial UAS use.
Recently, Aegerion Pharmaceuticals announced that it will enter into several settlements and plead guilty to two misdemeanors in connection with alleged violations of HIPAA, drug marketing regulations and securities laws. The criminal charges stem from the company’s marketing of a cholesterol drug called Juxtapid. Aegerion allegedly failed to comply with risk evaluation and management strategies and marketed Juxtapid (which is labeled with a warning about liver toxicity) without proper directions for use.
On May 16, 2016, the United States Supreme Court issued a decision in Spokeo Inc. v. Thomas Robins, holding 6-2 that the Ninth Circuit’s ruling applied an incomplete analysis when it failed to consider both aspects of the injury-in-fact requirement under Article III. Writing for the Court, Justice Samuel Alito found that a consumer could not sue Spokeo, Inc., an alleged consumer reporting agency that operates a “people search engine,” for a mere statutory violation without alleging actual injury.
On May 9, 2016, the Federal Trade Commission announced it had issued Orders to File a Special Report (“Orders”) to eight mobile device manufacturers requiring them to, for purposes of the FTC’s ongoing study of the mobile ecosystem, provide the FTC with “information about how [the companies] issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.” The FTC’s authority to issue such Orders comes from Section 6(b) of the FTC Act.
On May 4, 2016, the Federal Trade Commission issued a press release announcing its recent settlement with the hand-held vaporizers manufacturer, Very Incognito Technologies, Inc. (“Vipvape”). The FTC had charged Vipvape with falsely claiming that it was a certified company under the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules (“CBPR”) framework. The settlement prohibits Vipvape from misleading consumers about its participation in any privacy and security certification program, including the APEC CBPR framework. This is the first CBPR-related case taken up by the FTC.
On April 26, 2016, Korean law firm Bae, Kim & Lee LLC released a Privacy News Alert outlining amendments to Korea’s Personal Information Protection Act (“PIPA”) and the Act on the Promotion of IT Network Use and Information Protection (“IT Network Act”). According to Tae Uk Kang, partner at Bae, Kim & Lee and author of the alert, these amendments to PIPA and the IT Network Act “reflect the general trend concerning the Korean data privacy policy, which is intended to achieve more stringent regulation (and sanctions) of processing personal information.”
The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced resolution agreements with Raleigh Orthopaedic Clinic, P.A., (“Raleigh Orthopaedic”) and New York-Presbyterian Hospital (“NYP”) for HIPAA Privacy Rule violations.
The Federal Trade Commission recently released an interactive tool for mobile health apps. The tool was developed in conjunction with several other federal agencies, including the Department of Health and Human Services’ Office for Civil Rights, the Office of the National Coordinator for Health Information Technology, and the Food and Drug Administration.
With the recent adoption of the EU General Data Protection Regulation (“GDPR”) and the significant changes it will require from organizations, AvePoint has joined forces with the Centre for Information Policy Leadership (“CIPL”), a global privacy policy think tank at Hunton & Williams LLP, to launch the first global survey to benchmark organizations’ readiness for the GDPR.
On April 12, 2016, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs voted to approve the EU General Data Protection Regulation (“GDPR”) by a 54-3 vote, with one abstention. The GDPR replaces Directive 95/46/EC, enacted in 1995, and will significantly change EU data protection laws.
This development clears the way for the European Parliament to rubber stamp the GDPR at a plenary session on April 14, 2016, completing the legislative process for adoption of the GDPR. The GDPR is expected to be published in the Official Journal of the European Union ...
On April 11, 2016, the European Commission launched a public consultation to evaluate and review Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector, also known as the e-Privacy Directive.
Technological advances and the advent of the EU General Data Protection Regulation (“GDPR”) have prompted the European Commission to review the e-Privacy Directive, which was last updated in 2009.
On March 30 through April 1, 2016, the 2016 Nuclear Industry Summit meetings took place in Washington D.C. In the nuclear industry, the issue of cybersecurity has grown steadily in importance over the past decade. This has been most apparent in the increasing attention and effort paid to cyber-based threats under the biennial Nuclear Industry Summit and its international meetings.
On March 24, 2016, the Grand National Assembly of Turkey approved the Law on Personal Data Protection, which is Turkey’s first comprehensive data protection legislation. The law will become effective once it is ratified by Turkey’s President and published in the Official Gazette of the Republic of Turkey.
On March 22, 2016, the Ministry of Commerce of the People’s Republic of China published drafts of its proposed (1) Specifications for Business Services in Mobile E-commerce (“Mobile E-commerce Specifications”) and (2) Specifications for Business Services in Cross-border E-commerce (“Cross-border E-commerce Specifications”). A public comment period on these drafts is now open. Comments will be accepted until May 31, 2016.
On March 23, 2016, the Chairwoman of the French Data Protection Authority (“CNIL”) opened proceedings that will lead to the release of a compliance pack on connected vehicles.
The CNIL announced that the compliance pack will contain guidelines regarding the responsible use of personal data for the next generation of vehicles. It will assist various stakeholders in the industry prepare for the General Data Protection Regulation.
On March 21, 2016, the Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it has commenced Phase 2 of the HIPAA Audit Program. Phase 1 of the HIPAA Audit Program ran from 2011-2012 and produced several notable findings, including that two-thirds of covered entities had not performed a risk assessment as required by the HIPAA Security Rule.
On March 14, 2016, the UK Information Commissioner’s Office (“ICO”) published a guide, Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to Take Now. The guide, which is a high-level checklist with accompanying commentary, sets out a number of points that should inform organizations’ data privacy and governance programs ahead of the anticipated mid-2018 entry into force of the GDPR.
On March 9, 2016, Hunton & Williams LLP hosted a webinar regarding the impact of the EU General Data Protection Regulation (“GDPR”) on global companies. Partner Aaron Simpson moderated the session, and speakers included partner and head of the Global Privacy and Cybersecurity practice Lisa Sotto and partner Wim Nauwelaerts. Together, they explored the key components of the GDPR and discussed a roadmap toward compliance.
The webinar was the first segment in a two-part series, and Part 2 will be held in April.
On March 9, 2016, Hunton & Williams’ Global Privacy and Cybersecurity practice lawyers released a management guide on the EU General Data Protection Regulation (“GDPR”), entitled “Overview of the EU General Data Protection Regulation,” addressing the key impacts the new law will have on businesses. This high-level management guide is intended to provide companies with a roadmap to the Regulation, focusing on topics such as expanded territorial scope, data breach notification rules, the One-Stop Shop concept and the right to be forgotten.
On March 2, 2016, the Consumer Financial Protection Bureau (“CFPB”) reached a settlement with Dwolla, Inc. (“Dwolla”), an online payment system company, to resolve claims that the company made false representations regarding its data security practices in violation of the Consumer Financial Protection Act. Among other things, the consent order imposes a $100,000 fine on Dwolla. This marks the first data security-related fine imposed by the CFPB.
On February 25, 2016, the Asia-Pacific Economic Cooperation (“APEC”) issued a press release announcing the decision by the Joint Oversight Panel of the APEC Electronic Commerce Steering Group to approve the Japan Institute for Promotion of Digital Economy and Community (“JIPDEC”) as a new “Accountability Agent” under the APEC Cross-Border Privacy Rules (“CBPR”) system. Along with TRUSTe, JIPDEC will now be able to independently assess the compliance of companies under the APEC CBPR system. With this approval, Japan is now a fully operational participant in the APEC CBPR system.
Recently, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) published two guidance documents related to HIPAA compliance. To help mobile app developers understand HIPAA compliance obligations, OCR published guidance on the use of mobile health apps (the “Health App Guidance”). OCR also released a crosswalk (the “Crosswalk”) that maps the National Institute of Standards and Technology (“NIST”) Framework for Improving Critical Infrastructure Cybersecurity Framework (the “NIST Cybersecurity Framework”) to the HIPAA Security Rule.
On February 23, 2016, the Federal Trade Commission announced that it reached a settlement with Taiwanese-based network hardware manufacturer ASUSTeK Computer, Inc. (“ASUS”), to resolve claims that the company engaged in unfair and deceptive security practices in connection with developing network routers and cloud storage products sold to consumers in the U.S.
On February 19, 2016, the French Data Protection Authority (“CNIL”) made public its new Single Authorization Decision No. 46 (“Single Authorization AU-46”). This decision relates to the data processing activities of public and private organizations with respect to the preparation, exercise and follow-up regarding disciplinary or court actions, and the enforcement of those actions.
On February 16, 2016, California Attorney General Kamala D. Harris released the California Data Breach Report 2012-2015 (the “Report”) which, among other things, provides (1) an overview of businesses’ responsibilities regarding protecting personal information and reporting data breaches and (2) a series of recommendations for businesses and state policy makers to follow to help safeguard personal information.
On February 3, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that an Administrative Law Judge (“ALJ”) ruled that Lincare, Inc. (“Lincare”) violated the HIPAA Privacy Rule and ordered the company to pay $239,800 to OCR.
On December 30, 2015, Taiwan’s Office of the President issued an order to promulgate certain amendments (the “Amendments”) to Taiwan’s Personal Data Protection Law (the “PDPL”). The Amendments revise 12 articles in the PDPL. The Amendments concern the collection and use of sensitive personal data, the form of consent for the collection and use of non-sensitive personal data, and the imposition of criminal liability for violations of certain provisions of the PDPL. The Amendments are expected to become effective in the first half of 2016 on a date to be determined by the Executive Yuan.
On December 28, 2015, the People's Bank of China published Administrative Measures for Online Payment Business of Non-bank Payment Institutions (the “Measures”). The Measures were enacted to provide further details on the regulation of online payment businesses, in supplement to the earlier Administrative Measures for the Payment Services of Non-financial Institutions (the “2010 Measures”), published by the People's Bank of China on June 14, 2010. The 2010 Measures regulated the conduct of all payment services, including both online payment methods and three other types of payment methods, by all types of Non-bank Payment Institutions (“NBPIs”). The newer Measures are more focused and apply only to online payment methods, and only to NBPIs which have already obtained a Payment Business License and are engaged in an online payment business.
On January 5, 2016, the Federal Trade Commission announced that dental office management software provider, Henry Schein Practice Solutions, Inc. (“Schein”), agreed to settle FTC charges that accused the company of falsely advertising the level of encryption it used to protect patient data. The proposed Agreement Containing Consent Order (“Consent Order”) stems from an FTC complaint that alleged the company engaged in unfair or deceptive acts or practices by falsely representing that the Dentrix G5 software used industry-standard encryption and helped dentists protect patient data in accordance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
On January 1, 2016, a Dutch law became effective that (1) includes a general obligation for data controllers to notify the Data Protection Authority (“DPA”) of data security breaches, and (2) authorizes the DPA to impose direct fines for violations of the Data Protection Act.
On December 27, 2015, the Standing Committee of the National People’s Congress of the People’s Republic of China published the P.R.C. Anti-Terrorism Law. The law was enacted in response to a perceived growing threat from extremists and terrorists, particularly in regions in Western China, and came into effect on January 1, 2016.
On December 30, 2015, the Department of Defense (“DoD”) issued a second interim rule (80 F. R. 81472) that extends the deadline by which federal contractors must implement the new cybersecurity requirements previously issued by the agency. This extension pushes back the compliance deadline to December 31, 2017.
Late last year the Federal Trade Commission issued enforcement guidance on “native advertising” — ads that purposely are formatted to appear as noncommercial and are integrated into surrounding editorial content. The agency’s guidance took two parts: an Enforcement Policy Statement on deceptively formatted ads, and a Guide for Business on native advertising. These long-awaited guidance documents follow on the FTC’s December 2013 “Blurred Lines” workshop on native advertising. Importantly, the FTC notes that its policy statement does not apply just to advertisers but also to other parties that help create the content: ad agencies, ad networks and potentially, publishers.
On December 15, 2015, the California Attorney General announced an approximately $25 million settlement with Comcast Cable Communications, LLC (“Comcast”) stemming from allegations that Comcast disposed of electronic equipment (1) without properly deleting customer information from the equipment and (2) in landfills that are not authorized to accept electronic equipment. The settlement must be approved by a California judge before it is finalized.
On December 17, 2015, the FTC announced a pair of COPPA settlements against operators of child-directed mobile apps available for download in the major app stores. These cases are the FTC’s first COPPA actions involving the collection of persistent identifiers, and no other personal information, from children since the FTC’s updated COPPA Rule went into effect in 2013. The FTC levied civil penalties, totaling $360,000, in both cases.
On December 14, 2015, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had settled potential HIPAA Security Rule violations with the University of Washington on behalf of the university’s medical center, medical school and affiliated labs and clinics (collectively, “UW Medical”).
On December 17, 2015, after three years of drafting and negotiations, the European Parliament and Council of the European Union reached an informal agreement on the final draft of the EU General Data Protection Regulation (the “Regulation”), which is backed by the Committee on Civil Liberties, Justice and Home Affairs.
On December 9, 2015, the Federal Trade Commission announced that Wyndham Worldwide Corporation (“Wyndham”) settled charges brought by the FTC stemming from allegations that the company unfairly failed to maintain reasonable data security practices. The case is FTC v. Wyndham Worldwide Corporation, et al. (2:13-CV-01887-ES-JAD) in the U.S. District Court for the District of New Jersey.
On November 30, 2015, the U.S. Department of Health and Human Services (“HHS”) announced that Triple-S Management Corporation ("Triple-S"), an insurance holding company based in San Juan, Puerto Rico, agreed on behalf of certain of its subsidiaries to settle potential violations of the HIPAA Privacy and Security Rules with HHS’s Office for Civil Rights (“OCR”).
On November 19, 2015, the European Data Protection Supervisor (the “EDPS”) published an Opinion entitled Meeting the Challenges of Big Data (the "Opinion"). The Opinion outlines the main challenges, opportunities and risks of big data, and the importance placed on companies processing large volumes of personal data to implement innovative methods to comply with data protection laws.
On November 16, 2015, the Legislative Affairs Office of the State Council of the People's Republic of China published a draft Regulation for Couriers (the “Regulation”) and requested public comment on the Regulation. Interested parties have until mid-December 2015 to submit comments on the Regulation. The Regulation comes at a time when courier services and online shopping are growing steadily in China. Under the Regulation, the sender of a parcel will be required to fill in his or her real name and address, the telephone numbers of both the sender and the recipient, as well as the name, quantity and nature of the object being couriered.
On November 5, 2015, the Enforcement Bureau of the Federal Communications Commission (“FCC”) entered into a Consent Decree with cable operator Cox Communications to settle allegations that the company failed to properly protect customer information when the company’s electronic data systems were breached in August 2014 by a hacker. The FCC alleged that Cox failed to properly protect the confidentiality of its customers’ proprietary network information (“CPNI”) and personally identifiable information, and failed to promptly notify law enforcement authorities of security breaches involving CPNI in violation of the Communications Act of 1934 and FCC’s rules.
On November 13, 2015, the French Data Protection Authority (“CNIL”) announced its decision in a case against Optical Center, imposing a fine of €50,000 on the company for violations related to the security and confidentiality of its customers’ personal data.
On October 26, 2015, the German federal and state data protection authorities (the “German DPAs”) published a joint position paper on Safe Harbor and potential alternatives for transfers of data to the U.S. (the “Position Paper”).
On September 25, 2015, the UK Information Commissioner’s Office (the “ICO”) issued a fine of £200,000 (approximately $303,000) to Home Energy & Lifestyle Management Ltd. (“HELM”) for making a large number of automated marketing calls in violation of the UK’s direct marketing laws. This is the largest fine that the ICO has issued to date in connection with automated marketing calls.
On September 11, 2015, the Federal Communications Commission (“FCC”) announced that Lyft Inc. (“Lyft”) and First National Bank Corporation (“FNB”) violated the Telephone Consumer Protection Act (“TCPA”) by forcing their users to consent to receive automated text messages as a condition of using their services. The FCC warned that these violations could result in fines if they continue.
On September 8, 2015, representatives from the U.S. Government and the European Commission initialed a draft agreement known as the Protection of Personal Information Relating to the Prevention, Investigation, Detection and Prosecution of Criminal Offenses (the “Umbrella Agreement”). The European Commission’s stated aim for the Umbrella Agreement is to put in place “a comprehensive high-level data protection framework for EU-U.S. law enforcement cooperation.” The Umbrella Agreement has been agreed upon amid the ongoing uncertainty over the future of the U.S.-EU Safe Harbor, and was drafted shortly before the release of the September 23 Advocate General’s Opinion in the Schrems v. Facebook litigation. The content of the Umbrella Agreement is in its final form, but its implementation is dependent upon revisions to U.S. law that are currently before Congress.
On August 20, 2015, the Bavarian Data Protection Authority (“DPA”) issued a press release stating that it imposed a significant fine on a data controller for failing to adequately specify the security controls protecting personal data in a data processing agreement with a data processor.
On September 2, 2015, the French Data Protection Authority (“CNIL”) published the results of an Internet sweep of 54 websites visited by children and teenagers. The sweep was conducted in May 2015 to assess whether websites that are directed toward, frequently used by or popular among children comply with French data protection law. As we previously reported, the sweep was coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”). The CNIL and 28 other DPAs that are members of the GPEN participated in the coordinated online audit. A total of 1,494 websites and apps were audited around the world.
On August 26, 2015, the U.S. Department of Defense (“DoD”) published an interim rule entitled Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013–D018) (the “Interim Rule”), that streamlines the obligations for contractors to report network penetrations and establishes DoD requirements for contracting with cloud computing service providers. The Interim Rule amends the information security contracting framework set forth in the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement section 941 of the National Defense Authorization Act (“NDAA”) for Fiscal Year (“FY”) 2013 and section 1632 of the NDAA for FY 2015, both of which impose cyber incident reporting obligations on contractors.
On August 14 and August 26, 2015, the Conference of the Data Protection Commissioners of the Federal Government and the Federal States (Länder) issued a detailed position paper (“Position Paper”) and a press release on the main issues for the trilogue negotiations on the proposed EU General Data Protection Regulation (the “Regulation”). In the Position Paper and press release, the participating German Data Protection Commissioners (“German DPAs”) request the trilogue partners to focus on the following issues:
On July 30, 2015, the Bavarian Data Protection Authority (“DPA”) issued a press release stating that it imposed a significant fine on both the seller and purchaser in an asset deal for unlawfully transferring customer personal data as part of the deal.
On July 10, 2015, the Federal Communications Commission (“FCC”) released a Declaratory Ruling and Order that provides guidance with respect to several sections of the Telephone Consumer Protection Act (“TCPA”). The Declaratory Ruling and Order responds to 21 separate requests from industry, government and others seeking clarifications regarding the TCPA and related FCC rules.
Hunton & Williams’ EU Privacy and Cybersecurity practice lawyers recently authored The Proposed EU General Data Protection Regulation – A guide for in-house lawyers (the “Guide”), addressing the key impacts of the forthcoming changes to EU data protection law. Current EU data protection law is based on the EU Data Protection Directive 95/46/EC (the “Directive”), which was introduced in 1995. An updated and more harmonized data protection law, in the form of a Regulation, has been proposed by the EU’s legislative bodies to replace the Directive. The Guide is intended to assist in-house lawyers in understanding the likely impact of the Regulation on businesses. While still under negotiation, the Regulation will significantly change the landscape of EU privacy and data protection in several key areas, including:
On April 23, 2015, the Federal Trade Commission (“FTC”) announced that Nomi Technologies (“Nomi”) has agreed to settle charges stemming from allegations that the company misled consumers with respect to their ability to opt out of the company’s mobile device tracking service at retail locations. The settlement marks the FTC’s first Section 5 enforcement action against a company that provides tracking services at retailers.
On February 26, 2015, the Department of Education’s Privacy Technical Assistance Center (“PTAC”) issued guidance to assist schools, school districts and vendors with understanding the primary laws regulating student privacy and how compliance with those laws may be affected by Terms of Service (“TOS”) offered by providers of online educational services and mobile applications. The guidance also is intended to aid school districts and schools in implementing separate guidance issued by the PTAC in February 2014. The guidance was accompanied by a short training video directed to teachers, administrators and other relevant staff.
On January 27, 2015, the Federal Trade Commission announced the release of a report on the Internet of Things: Privacy and Security in a Connected World (the “Report”). The Report describes the current state of the Internet of Things, analyzes the benefits and risks of its development, applies privacy principles to the Internet of Things and discusses whether legislation is needed to address this burgeoning area. The Report follows a workshop by the FTC on this topic in November 2013.
On December 18, 2014, the Financial Crimes Enforcement Network (“FinCEN”) issued a $1 million civil penalty against Thomas E. Haider, the former Chief Compliance Officer of MoneyGram International, Inc. (“MoneyGram”). In a press release announcing the assessment, FinCEN alleged that during Haider’s oversight of compliance for MoneyGram, he failed to adequately respond to thousands of customer complaints regarding schemes that utilized MoneyGram to defraud consumers. In coordination with FinCEN, the U.S. Attorney’s office in the Southern District of New York filed a civil complaint on the same day, seeking a $1 million civil judgment against Haider to collect on the assessment and requesting injunctive relief barring him from participating in the affairs of any financial institution located or conducting business in the United States.
On December 19, 2014, the Federal Trade Commission announced a settlement of at least $90 million with mobile phone carrier T-Mobile USA, Inc. (“T-Mobile”) stemming from allegations related to mobile cramming. This settlement amount will primarily be used to provide refunds to affected customers who were charged by T-Mobile for unauthorized third party charges. As part of the settlement, T-Mobile also will pay $18 million in fines and penalties to the attorneys general of all 50 states and the District of Columbia, and $4.5 million to the Federal Communications Commission.
In an article entitled The Rise of Accountability from Policy to Practice and Into the Cloud published by the International Association of Privacy Professinals, Bojana Bellamy, President of the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”), outlines the rapid global uptake of “accountability” as a cornerstone of effective data protection and points to the recent ISO 27018 data privacy cloud standard as one of the latest examples.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code