Privacy & Information Security Law Blog

The German Data Protection Authorities of Berlin and North Rhine-Westphalia have issued a paper containing Frequently Asked Questions about the German statutory data breach notification requirement that went into effect on September 1, 2009.  The paper provides detailed information on key questions concerning the procedure for notification as required by Section 42a of the German Federal Data Protection Act.

On May 27, 2011, the Department of Health and Human Services (“HHS”) issued a notice of proposed rulemaking regarding the HIPAA Privacy Rule provision that requires covered entities to provide an accounting of disclosures of protected health information (“PHI”) to individuals upon request.  The proposed rule revises existing HIPAA Privacy Rule provisions regarding an accounting of disclosures and also gives individuals a new right to obtain an “access report” about which specific individuals have accessed electronic PHI in a designated record set.  The proposed rule also requires covered entities to modify their privacy notices to include that individuals have the right to obtain an access report from the covered entities.

On June 6, 2011, join Hunton & Williams for a panel discussion on the implementation of the new EU Cookie Law in the UK, France, Germany and the Netherlands.  EU law on the use of cookies is changing.  Opt-in consent will be required, but specific requirements may differ across the EU.  What are organizations doing to ensure compliance with the new cookie law?  Listen to David Evans, Group Manager of Business and Industry of the Information Commissioner's Office, explain the steps that UK organizations are expected to take.  Learn about cookie compliance in France, Germany and the ...

According to a complaint submitted to the Federal Trade Commission on May 11, 2011, the popular cloud-based data storage provider Dropbox, Inc. made false claims about the security of its users’ data, thereby putting them at risk while gaining an unfair advantage over competitors that actually offer the sort of security Dropbox advertised.  The Dropbox service allows users to create folders on their computers that automatically sync with corresponding folders on Dropbox’s servers.  Users can specify whether their folders are public or private.  The allegations concern the folders designated as private, which are touted as being protected by encryption.  According to the complaint, which was filed by Christopher Soghoian (a security researcher and former technologist at the FTC’s Division of Privacy and Identity Protection), although Dropbox represented that its encryption features would render a user’s files completely inaccessible to any person other than the user, in fact, Dropbox employees maintained copies of the encryption keys and could therefore access the contents of users’ files.  This left Dropbox users’ files susceptible to unauthorized access (e.g., governmental demands for data, hacking attacks, rogue insiders).

On May 11, 2011, in Thomas Robins v. Spokeo, Inc., the United States District Court for the Central District of California granted in part and denied in part defendant Spokeo, Inc.’s motion to dismiss claims that it violated the Fair Credit Reporting Act (“FCRA”).  The ruling allows the plaintiff to continue his action against Spokeo, a website that aggregates data about individuals from both online and offline sources.

On May 25, 2011, the UK Information Commissioner’s Office (the “ICO”) issued a news release stating that organizations and businesses that run websites aimed at UK consumers will be given up to 12 months to “get their house in order” before enforcement of the new cookie law begins.  Information Commissioner Christopher Graham made it clear, however, that “[t]his does not let everyone off the hook.  Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”

On May 16, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on geolocation services on smart mobile devices (the “Opinion”).  The Opinion clarifies the legal framework and obligations applicable to geolocation services such as maps and navigation tools, geo-personalized services, geotagging of content on the Internet, child control and location-based advertising.

As we reported last week, on May 12, 2011, the Obama administration announced a comprehensive cybersecurity legislative proposal in a letter to Congress.  The proposal, which is the culmination of two years of work by an interagency team made up of representatives from multiple departments and agencies, aims to improve the nation’s cybersecurity and protect critical infrastructure.  If enacted, this legislation will affect many government and private-sector owners and operators of cyber systems, including all critical infrastructure, such as energy, financial systems, manufacturing, communications and transportation.  In addition, the proposal includes a wide-reaching data breach notification law that is intended generally to preempt the existing state breach laws in 46 states plus Washington, D.C., Puerto Rico and the U.S. Virgin Islands.

On April 11, 2011, India adopted new privacy regulations, known as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “Rules”).  The Rules are final versions of the draft regulations issued in February 2011 and impose wide-ranging obligations on any “body corporate” (company) that “collects, receives, possesses, stores, deals or handles” personal information.  These obligations require companies to provide privacy policies, restrict the processing of sensitive personal data, restrict international data transfers and require additional security measures.  The Rules introduce an omnibus privacy law that is similar in many respects to existing EU data protection law, but which raises some fundamental challenges for India’s numerous outsourcing vendors, and their customers.

A new bill proposed in California, the Social Networking Privacy Act (the “Act”), would force social networking websites to establish default privacy settings for their users that prohibit such sites from publicly displaying most information about users without the users’ consent.  Given that many social networking websites currently have default settings that make user personal information and photos public unless the user changes those settings, the Act would represent a fundamental shift in social networking privacy.

As we previously reported, Korea's long-awaited Personal Information Protection Act (“PIPA”) was enacted on March 29, 2011.  The law generally requires an individual’s informed consent for the collection, use or disclosure of any personal information by any person, company or government agency.  Kwang Hyun Ryoo from Bae, Kim & Lee LLC in Korea has provided a detailed analysis of the law.

On May 10, 2011, the German Federal Office for Information Security, (the Bundesamt für Sicherheit in der Informationstechnik or “BSI”) released the final framework paper on information security issues related to cloud computing.  The paper describes the minimum requirements for information security for cloud computing services.  As we previously reported, in September 2010, the BSI had presented the draft framework paper which received positive reviews and constructive comments from cloud computing providers, users, associations and other stakeholders.  The ...

From May 26, 2011, UK law regulating the use of cookies on websites will change from an opt-out regime, to one requiring prior opt-in consent.  This change poses significant practical challenges for website operators.  In guidance on the new regulations, the UK Information Commissioner has acknowledged the challenge but warned that website operators must take steps now to ensure that they are ready to comply.

On May 12, 2011, the Federal Trade Commission announced that Playdom, Inc., a Disney subsidiary, has agreed to pay $3 million to settle charges that the company violated Section 5 of the FTC Act and the Children’s Online Privacy Protection Rule (“COPPA Rule”) “by illegally collecting and disclosing personal information from hundreds of thousands of children under age 13 without their parents’ prior consent.”  This settlement marks the largest civil penalty imposed for an FTC COPPA Rule violation.

On May 12, 2011, the White House released the long-expected cybersecurity legislative proposal in response to the need to protect Americans from cyber threats.  The proposal is the culmination of several years of work following the White House’s release of the Cyberspace Policy Review in 2009 and includes the following sections:

On May 11, 2011, the UK Information Commissioner’s Office (the “ICO”) published a new statutory code of practice on the sharing of personal data.  As stated in the ICO’s press release, the code of practice covers best practices for both routine and one-off data sharing activities, and offers organizations tips for reducing the risk of inappropriate or insecure data sharing.  By helping organizations understand how to share data appropriately, the code of practice should facilitate compliance with the Data Protection Act and minimize the risk of enforcement actions by the ICO or other regulators.

On May 9, 2011, Senator Jay Rockefeller (D-WV), the Chairman of the Senate Committee on Commerce, Science and Transportation, introduced the “Do-Not-Track Online Act of 2011” (the “Act”).  The Act instructs the Federal Trade Commission to promulgate regulations that would (1) create standards for the implementation of a “Do Not Track” mechanism that would enable individuals to express a desire to not be tracked online and (2) prohibit online service providers from tracking individuals who express such a desire.  The regulations would allow online service providers to track individuals who do not want to be tracked only if (1) the tracking is necessary to provide a service requested by the individual (and the individuals’ information is anonymized or deleted when the service is provided), or (2) the individual is given clear notice about the tracking and affirmatively consents to the tracking.

On April 26, 2011, the United States Supreme Court heard oral argument in Sorrell v. IMS Health, a case concerning the constitutionality of a Vermont law that restricts access to prescription drug records.  Laws enacted by New Hampshire, Maine and Vermont prohibit pharmacies from selling prescriber-identifiable information in prescription records to third parties for marketing purposes.  The Supreme Court seeks to resolve a circuit split that resulted from legal challenges to the statutes in all three states.  Thomas Julin, partner at Hunton & Williams LLP, represents IMS Health ...

On May 3, 2011, the Federal Trade Commission announced that it had reached settlements with Ceridian Corporation and Lookout Services, Inc. after alleging both companies had misrepresented the extent of their data security practices and subsequently failed to safeguard their customers’ information.  According to the FTC’s press release, the settlements “are part of the FTC’s ongoing efforts to ensure that companies secure the sensitive consumer information they maintain.”

As reported in Hunton & Williams' Employment & Labor Perspectives blog:

The National Labor Relations Board (“NLRB”) regional offices addressing complaints involving employers’ social media policies must seek advice from the NLRB’s Division of Advice before taking any action.  The memorandum, issued by the NLRB’s Office of the General Counsel on April 12th, added social media disputes to the list of matters that must be submitted to the Division of Advice.  The Division of Advice is responsible for issuing opinions on difficult or novel labor issues.

On May 2, 2011, Sony Computer Entertainment America (“Sony”) disclosed that hackers had gained access to the personal information of 24.6 million customers who played games on the Sony Online Entertainment (“SOE”) network.  Sony stated that hackers may have accessed names, addresses and birth dates of SOE gaming customers, as well as credit card data of about 12,700 non-U.S. accounts and 10,700 bank account numbers from “an outdated database from 2007.”  Sony clarified that the SOE breach was not the result of a second attack, but rather occurred as part of the broad incursion against the company that affected 77 million PlayStation accounts, as the company previously disclosed on April 26.

Austrian DPA Gives Green Light Subject to Conditions

On April 21, 2011, the Austrian Data Protection Commission (“Austrian DPA”) published its decision allowing Google to register its Google Street View application on the Austrian DPA’s data processing register.  As part of the registration procedure, Google agreed to blur images of faces and license plates prior to publishing them on the Internet, and to provide information to the public about the right to object to publication of certain images.  Further, the Austrian DPA required Google to:

On April 25, 2011, Legal Bisnow interviewed Marty Abrams, Executive Director of the Centre for Information Policy Leadership at Hunton & Williams LLP, and Hunton & Williams partner Lisa Sotto about hot topics in privacy and data protection.

Read Legal Bisnow’s article, “Hottest Practice Area?”.