Privacy & Information Security Law Blog

On April 27, 2016, the UK House of Commons Culture, Media and Sport Select Committee (the “Committee”) confirmed Elizabeth Denham’s appointment as Information Commissioner. Denham, currently the Privacy and Information Commissioner for British Columbia, Canada, was announced as the UK Government’s preferred choice on March 22, 2016.

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced resolution agreements with Raleigh Orthopaedic Clinic, P.A., (“Raleigh Orthopaedic”) and New York-Presbyterian Hospital (“NYP”) for HIPAA Privacy Rule violations.

On April 13, 2016, Nebraska Governor Pete Ricketts signed into law LB 835 (the “Bill”), which among other things, adds a regulator notification requirement and broadens the definition of “personal information” in the state’s data breach notification statute, Neb. Rev. Stat. §§ 87-802 to 87-804. The amendments take effect on July 20, 2016.

In its third simulated test of the security of the power grid, the North American Reliability Corporation (“NERC”) reported general progress across the electric utility industry in defending against physical and cyber threats, while also identifying several areas for further improvement.

The NERC exercise, dubbed GridEx III, took place over two days in November 2015 and involved more than 4,400 individuals from 364 industry, law enforcement and government organizations across the United States, Canada and Mexico. The main objectives of the exercise were to test crisis response and recovery, improve communication, identify problem areas and engage senior-level leadership in the organizations involved.

The Federal Trade Commission recently released an interactive tool for mobile health apps. The tool was developed in conjunction with several other federal agencies, including the Department of Health and Human Services’ Office for Civil Rights, the Office of the National Coordinator for Health Information Technology, and the Food and Drug Administration.

In a recent article published by SC Magazine, Lisa Sotto, head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice, provides commentary on the recent case, Apple v. FBI. The article analyzes privacy versus security, and Sotto tells SC Magazine, “[the case] should never have escalated to this, privacy should have been addressed” at the onset of the investigation. Sotto says the government should have “worked with tech companies to craft policies and processes” before an issue of this magnitude arose. The article provides details on the case and discusses ...

With the recent adoption of the EU General Data Protection Regulation (“GDPR”) and the significant changes it will require from organizations, AvePoint has joined forces with the Centre for Information Policy Leadership (“CIPL”), a global privacy policy think tank at Hunton & Williams LLP, to launch the first global survey to benchmark organizations’ readiness for the GDPR.

On April 12, 2016, the French Data Protection Authority (“CNIL”) announced that it will participate in a coordinated online audit to analyze the impact of everyday connected devices on privacy. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world.

On April 6, 2016, U.S. District Judge R. Gary Klausner approved a settlement in Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600 (RGK). As we previously reported, the litigation centered on a data breach involving the stolen personal information of at least 15,000 former and current employees. After a partial success on its motion to dismiss, Sony still faced potential liability for negligence based on its three-week delay in notifying its employees of the data breach, as well as statutory claims under the California Confidentiality of Medical Information Act and the Unfair Competition Law.

As reported on the Hunton Insurance Recovery Blog, data breach claims involving customer data can present an ever-increasing risk for companies across all industries. A recent case illustrates efforts to recover the costs associated with such claims. A panel of the Fourth Circuit confirmed that general liability policies can afford coverage for cyber-related liabilities, and ruled that an insurer had to pay attorneys’ fees to defend the policyholder in class action litigation in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944. Syed Ahmad, a partner in the Hunton & Williams LLP insurance practice, was quoted in a Law360 article concerning the importance of this decision.

On April 14, 2016, after four years of drafting and negotiations, the long awaited EU General Data Protection Regulation (“GDPR”) has been adopted at the EU level. Following the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs’ vote earlier this week and the EU Parliament in plenary session, the GDPR is now officially EU law and will directly apply in all EU countries, replacing EU and national data protection legislation.

On April 13, 2016, the Article 29 Working Party (the “Working Party”) published its Opinion on the EU-U.S. Privacy Shield (the “Privacy Shield”) draft adequacy decision. The Privacy Shield was created to replace the previous Safe Harbor framework invalidated by the Court of Justice of the European Union (“CJEU”) in the Schrems decision. The Working Party also published a Working Document on the justification for interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees).

On April 12, 2016, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs voted to approve the EU General Data Protection Regulation (“GDPR”) by a 54-3 vote, with one abstention. The GDPR replaces Directive 95/46/EC, enacted in 1995, and will significantly change EU data protection laws.

This development clears the way for the European Parliament to rubber stamp the GDPR at a plenary session on April 14, 2016, completing the legislative process for adoption of the GDPR. The GDPR is expected to be published in the Official Journal of the European Union ...

On April 11, 2016, the European Commission launched a public consultation to evaluate and review Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector, also known as the e-Privacy Directive.

Technological advances and the advent of the EU General Data Protection Regulation (“GDPR”) have prompted the European Commission to review the e-Privacy Directive, which was last updated in 2009.

On March 30 through April 1, 2016, the 2016 Nuclear Industry Summit meetings took place in Washington D.C. In the nuclear industry, the issue of cybersecurity has grown steadily in importance over the past decade. This has been most apparent in the increasing attention and effort paid to cyber-based threats under the biennial Nuclear Industry Summit and its international meetings.

Team helps companies devise legal strategies to enhance security and mitigate threat risk.

On April 4, 2016, Hunton & Williams LLP announced the formation of a Cyber and Physical Security Task Force to assist companies in minimizing the risks and consequences of a serious security incident. The task force is being led by global privacy and cybersecurity head Lisa Sotto, cybersecurity partner Paul Tiao, and energy partner Kevin Jones, and includes lawyers from a wide range of practice groups within the firm.

On April 6, 2016, the Federal Trade Commission formally welcomed the updated Recommendation on Consumer Protection in E-commerce (the “Recommendation”) issued by the Organization for Economic Cooperation and Development (“OECD”) on March 24, 2016, endorsing the Recommendation’s broadened scope and increased consumer protections that “are designed to strengthen consumers’ trust in the expanding electronic marketplace.”

On March 24, 2016, the Grand National Assembly of Turkey approved the Law on Personal Data Protection, which is Turkey’s first comprehensive data protection legislation. The law will become effective once it is ratified by Turkey’s President and published in the Official Gazette of the Republic of Turkey.

On April 8, 2016, the Council of the European Union (the “Council”) will adopt its position on the EU General Data Protection Regulation (“GDPR”). The General Secretariat of the Council of the EU sent a Note (the “Note”) asking the Permanent Representatives Committee to use the “written procedure” to adopt the Council's position. The adoption of the Council's position was initially planned for a vote on April 21, 2016, during the next Justice and Home Affairs Council, but the Council has decided to expedite the process for adoption by using the “written procedure,” which is an exceptional procedure that does not include public deliberation.

On March 24, 2016, Tennessee Governor Bill Haslam signed into law S.B. 2005, as amended by Amendment No. 1 to S.B. 2005 (the “Bill”), which makes a number of changes to the state’s data breach notification statute, Tenn. Code § 47-18-2107. The amendments take effect on July 1, 2016.