Privacy & Information Security Law Blog

On June 18, 2013, the New York office of Hunton & Williams LLP office hosted Cornell University’s Privacy and Data Security Symposium, Privacy, Security & Your Data - Concerns in a Changing World. The program focused on global privacy and cybersecurity issues, including protecting the personal information of Internet users, balancing user privacy with law enforcement concerns, and implementing responsible data stewardship and governance. Moderated by Cornell University’s Tracy Mitrano, Director of IT Policy and Institute for Computer Policy and Law, the panel included:

In recent months, the Belgian media has reported on a significant increase in data breaches. In December 2012, the National Belgian Railway Company inadvertently published 1.46 million sets of customer data online. The rise in data security incidents has caught the attention of the Belgian Privacy Commission, which has the authority to make recommendations on any matter relating to the application of the fundamental data protection principles in the Belgian Data Protection Act of December 8, 1992. In a May 2013 article published in Bloomberg BNA’s World Data Protection Report

The Centre for Information Policy Leadership at Hunton & Williams LLP is pleased to announce that Bojana Bellamy, global director of data privacy for Accenture, will be joining the firm as president of the Centre, effective September 2, 2013. Current Centre President, Marty Abrams, who is retiring on September 1, will stay on as an advisor to the Centre.

The Bavarian data protection authority recently updated its compliance initiative regarding online tracking tools to include Adobe’s online tracking product (Adobe Analytics (Omniture)). As with previous initiatives of this nature, the underlying analyses were carried out in an automated manner, using a program specifically developed by the Bavarian data protection authority to verify compliance.

On June 24, 2013, the European Commission announced new technical implementing measures that address the EU data breach notification requirement for telecom operators and internet service providers (“ISPs”). Based on a Commission Regulation, these companies must:

• notify the competent national authority of the incident (or at least provide an initial description thereof) within 24 hours after detection of the breach;
• outline which data are affected and what measures have been or will be taken by the company;
• pay attention to the type of data compromised when assessing whether to notify subscribers (i.e. evaluating whether the breach is likely to have an adverse effect on personal data or privacy); and
• use a standardized format for notifying the competent national authority (e.g. an online form which is the same for all EU Member States).

Hunton & Williams LLP proudly announces that the firm’s global Privacy and Cybersecurity practice was top-ranked in both The Legal 500 United States and EMEA 2013 guides. This is the fourth consecutive year that the practice has been listed in “Tier 1” by The Legal 500 United States.

On July 1, 2013, Practising Law Institute (“PLI”) hosts its first symposium on Cybersecurity 2013: Managing the Risk in New York. Hunton & Williams partner Lisa J. Sotto is the Chair of the event. The program features timely cybersecurity topics, including the threat landscape, the legal environment (such as the Obama Administration’s Executive Order on Cybersecurity), and how companies can manage cybersecurity incidents when they occur and seek to prevent cyber attacks before they occur. Hunton & Williams partner Paul M. Tiao and Centre for Information Policy Leadership ...

On June 20, 2013, the UK Information Commissioner’s Office (“ICO”) launched its Annual Report and Financial Statements for 2012/13 (the “Report”). Introducing the Report, Information Commissioner Christopher Graham strongly emphasized that, as consumers become increasingly aware of their information rights, good privacy practices will become a commercial benefit and a business differentiator. He outlined the seven key “e”s of the ICO’s role: enforce, educate, empower, enable, engage, and to be effective and efficient.

On June 14, 2013, the European Data Protection Supervisor (the “EDPS”) issued an Opinion regarding a joint communication by the European Commission and the High Representative of the Union for Foreign Affairs and Security Policy, Cyber Security Strategy of the European Union: an Open, Safe and Secure Cyberspace (the “Strategy”), as well as the European Commission’s proposed draft directive to ensure uniformly high security measures for network and information security across the EU (the “NIS Directive”). The EDPS welcomes recognizing privacy and data protection as core values of a robust cybersecurity policy, as opposed to separating out security and privacy, but draws attention to several deficiencies, stating that “the ambitions of the strategy are not reflected in how it will be implemented.”

On June 14, 2013, Texas Governor Rick Perry signed a bill requiring law enforcement agencies to obtain warrants before accessing customer electronic data held by email service providers. Introduced on March 4, 2013, the bill passed unanimously in both the Texas House and Senate on May 7 and May 22, respectively. The law takes effect immediately.

On June 13, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $275,000 settlement with Shasta Regional Medical Center (“Shasta”) that pertained to impermissible disclosures of protected health information (“PHI”) by Shasta officials to the media, as well as to Shasta’s entire workforce.

On June 17, 2013, the Federal Trade Commission announced that FTC Chair Edith Ramirez has appointed Jessica Rich as Director of the Bureau of Consumer Protection. Rich has served in several leadership roles in the FTC’s Bureau of Consumer Protection during her 20-year tenure with the agency. Most recently, she served as Associate Director of the Division of Financial Practices.

On June 11, 2013, the United States Court of Appeals for the Seventh Circuit denied software maker comScore, Inc.’s petition to appeal class certification in a litigation related to comScore software that allegedly collected extensive data from consumers’ computers without authorization. The plaintiffs alleged that comScore (an online analytics company) gathered data from consumers’ computers through software that it bundled with third-party software, such as free screensavers, games, music-copying programs and greeting card templates. According to the plaintiffs, this software collected data including “the monitored consumer’s usernames and passwords; queries on search engines...; the website(s) the monitored consumer is currently viewing; credit card numbers and any financial or otherwise sensitive information inputted into any website the monitored consumer views; the goods purchased online by the monitored consumer, the price paid by the monitored consumer for the goods, and amount of time the monitored consumer views the goods before purchase; and specific advertisements clicked by the monitored consumer,” as well as data about all files on the consumer’s computer.

As reported in the Hunton Employment & Labor Perspectives Blog:

In an article to be published this month in the Seton Hall University Law Review, Hunton & Williams partners Terry Connor and Kevin White question whether the Equal Employment Opportunity Commission (“EEOC”) had the statutory authority to publish its April 2012 Guidance interpreting Title VII to impose disparate impact liability on employers who consider applicants’ criminal backgrounds as part of the hiring process.

On June 13, 2013, the Food and Drug Administration (“FDA”) published a safety communication and guidance regarding the vulnerability of medical devices to cyberattacks. The safety communication, Cybersecurity for Medical Devices and Hospital Networks, is intended for “[m]edical device manufacturers, hospitals, medical device user facilities, health care IT and procurements staff; and biomedical engineers.” The safety communication notes that because medical devices can be connected to other devices and the Internet, such devices are exposed to cyber attacks that might result from malware infections, the exploitation of weak password protections, a lack of updated security patches and security vulnerabilities in software installed on medical devices.

On June 14, 2013, the French Data Protection Authority (“CNIL”) announced that last March it had created an internal working group to study the privacy issues arising from the access of the personal data of French citizens by foreign public authorities. The CNIL further announced that the working group has decided to organize meetings with the various concerned stakeholders (attorneys, telecommunications operators, public institutions and non-governmental organizations) and that it has already had discussions with some of them. A summary of the CNIL’s findings is expected to be published in September 2013.

The UK Information Commissioner’s Office (“ICO”) has published guidance on the application of the Data Protection Act 1998 (“DPA”) to social networking sites and online forums. The guidance emphasizes that organizations and individuals that process data for non-personal purposes must comply with DPA requirements in their use of social networking sites and online forums just as they would in any other context.

On June 7, 2013, the Japanese Government applied to participate in the APEC Cross-Border Privacy Rules program. Japan’s application will be reviewed to verify that Japan has the necessary legal mechanisms to ensure that certified companies can be held accountable. If approved, Japan will join the United States and Mexico, which also are APEC-certified economies, and it is likely a number of Japanese seal programs will apply for certification as accountability agents. Once the requisite elements are in place, Japanese companies will be able to apply for approval of their cross-border privacy rules.

In May 2013, the Federal Trade Commission released a new guide entitled Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business (the “Guide”) to help businesses and organizations determine whether they are subject to the FTC’s Red Flags Rule (“Red Flags Rule”) and how to meet the Rule’s requirements. The FTC’s Guide includes information regarding what types of entities must comply with the Red Flags Rule, a set of FAQs, and a four-step process to achieve compliance.

As we previously reported, on May 31, 2013, the Irish Presidency of the Council of the European Union’s Justice and Home Affairs released a draft compromise text in response to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). This compromise text narrows the scope of the Proposed Regulation and seeks to move from a detailed, prescriptive approach toward a risk-based framework.

On June 6, 2013, the European Union’s Justice and Home Affairs Council held legislative deliberations regarding key issues concerning the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). The discussions were based on the Irish Presidency’s draft compromise text on Chapters I to IV of the Proposed Regulation, containing the fundamentals of the proposal and reflecting the Presidency’s view of the state of play of negotiations. At the Council meeting, the Presidency was seeking general support for the conclusions drawn in their draft compromise text on the key issues in Chapters I to IV.

On June 3, 2013, the French Data Protection Authority (“CNIL”) published an article outlining the importance of binding corporate rules (“BCRs”) for data processors, and describing how to use them.

On June 6, 2013, a group of 300 gathered in Santa Marta, Colombia, the second oldest city in South America, for the First Latin America Congress on Data Protection. The Congress was organized by Colombia’s data protection authority, the Superintendency of Industry and Commerce, and the Centre for Information Policy Leadership at Hunton & Williams LLP. “Latin America is very important to Centre member companies, and education is a key element of the Centre’s Latin America Project. So, we were very pleased to help the Superintendent organize the program,” said Centre President Marty Abrams.

On May 30, 2013, the European Court of Justice held that Sweden failed to fulfill its obligations under EU law when it delayed complying with the Court’s 2010 ruling regarding the country’s implementation of the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”). The Court ordered Sweden to pay a lump sum of €3,000,000.

On May 31, 2013, the Council of the European Union’s Justice and Home Affairs released a draft compromise text in response to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). This compromise text narrows the scope of the Proposed Regulation and seeks to move from a detailed, prescriptive approach toward a risk-based framework.

On May 29, 2013, Hunton & Williams hosted a webinar, A Discussion on the Proposed EU Regulation: Developing a More Creative Approach. Hunton & Williams partner Bridget Treacy moderated the session with former UK Information Commissioner Richard Thomas, Global Strategy Advisor of the Centre for Information Policy Leadership at Hunton & Williams. Richard Thomas discussed the need for a more creative and flexible approach to the proposed EU General Data Protection Regulation, with better-defined outcomes and targeting businesses that present the greatest risks. He also ...

On June 3, 2013, Privacy Piracy host Mari Frank interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, on KUCI 88.9 FM radio in Irvine, California. Listen to the latest developments in cybersecurity, including legal issues businesses should consider when dealing with cybersecurity threats and the types of information being targeted.

Access the radio interview.