Privacy & Information Security Law Blog

Bloomberg Law’s Lee Pacchia interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, to discuss the recent data security incident involving Barnes & Noble stores. Sotto discussed life in the modern world of technology where there is an increased risk of data security incidents, and many companies only reach out to counsel after a data breach occurs. Sotto also described how large companies should protect themselves against these sophisticated cyberattacks. View the full live interview now. 

Reporting from Washington, D.C., Hunton & Williams partner Frederick Eames writes:

Elections have consequences. What are the consequences of the 2012 election on U.S. federal privacy, data security and breach notice legislation? We outline some key developments in the U.S. House of Representatives and Senate and explain how these developments might affect legislative priorities and prospects for the 113th Congress beginning in 2013.

On October 26, 2012, the Federal Trade Commission finalized its settlement agreements with two businesses that allegedly exposed thousands of customers’ sensitive personal information by allowing peer-to-peer (“P2P”) file-sharing software to be installed on the companies’ computer systems. The approved settlements prohibit Georgia auto dealer Franklin’s Budget Car Sales, Inc. (“Franklin”) and Utah-based debt collector EPN, Inc. (“EPN”) from misrepresenting their privacy and information security practices and requires both businesses to establish and maintain a comprehensive information security program subject to biennial, independent, third-party audits for 20 years. The settlement with Franklin also bars the company from violating the Gramm-Leach-Bliley Act (“GLBA”) Safeguards Rule and Privacy Rule.

On October 29, 2012, the UK Information Commissioner’s Office (“ICO”) served private sector financial services company The Prudential Assurance Company Limited (“Prudential”) with a monetary penalty of £50,000 in connection with a serious violation of the Data Protection Act 1998 (“DPA”). The violation concerned a mix-up involving Prudential customer details. In March 2007, the customer records of two individuals who shared the same first name, surname and date of birth were mistakenly merged into a single customer record. Over the course of the following three years, mortgage and pension policy information relating to each customer was routinely sent to the wrong individual until Prudential took steps to separate the two customers’ records in September 2010.

On October 23, 2012, just two weeks after issuing a series of reports highlighting the UK Information Commissioner’s Office’s (“ICO’s”) concerns regarding data protection compliance within the public sector, the ICO has imposed a monetary penalty of £120,000 and issued an enforcement notice against Stoke-on-Trent City Council (“Stoke Council”) in relation to a serious data breach. The breach involved the transmission of sensitive personal information related to a child protection case by email in an unmarked and unprotected manner to the incorrect email address.

On October 15, 2012, the Singapore Parliament passed the Personal Data Protection Act 2012. Though a law has been under discussion for quite some time, this bill was introduced before Parliament only recently, in September of this year. The new law will apply only to data processing in the private sector as data processing by public agencies (or organizations acting on behalf of public agencies) are already subject to internal government rules. Reportedly, the bill will become law in January 2013, enforceable after 18 months, in mid-2014.

On August 23, 2012, the United States Court of Appeals for the Sixth Circuit held in Retailer Ventures, Inc. v. Nat’l Union Fire Ins. Co. that losses resulting from the theft of customers’ banking information from a retailer’s computer system are covered under a commercial crime policy’s computer fraud endorsement.

On July 31, 2012, Minnesota Attorney General Lori Swanson announced a $2.5 million settlement with Accretive Health, Inc. (“Accretive”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, and various Minnesota debt collection and consumer protection laws. As we previously reported in January 2012, Accretive, which acted as a business associate to two Minnesota hospital systems, experienced a breach in July 2011 that involved the protected health information of more than 23,000 patients.

On August 15, 2012, Philippines President Benigno S. Aquino III signed the Data Privacy Act of 2012 passed earlier this year by the Philippine Senate and House of Representatives. Concerns about the creation of the National Privacy Commission and the criminal penalties associated with the Act delayed final enactment.

On July 10, 2012, the Federal Financial Institutions Examination Council (“FFIEC”) released a statement on outsourced cloud computing activities. The statement, which was prepared by the FFIEC Information Technology Subcommittee, discusses key risk considerations associated with using third-party vendors to implement cloud computing solutions, and identifies applicable risk mitigation considerations contained in the various booklets that comprise the FFIEC IT Examination Handbook. The statement indicates that the FFIEC agencies “consider cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing.” The paper focuses on addressing key risks of outsourced cloud computing identified in existing guidance. Key points include the following:

In recent weeks, both state and federal regulators have considered security breach notification legislation. On June 15, 2012, Connecticut Governor Dannel Malloy signed a budget bill that, among other things, amends the state’s security breach notification law. The changes, which will take effect on October 1, 2012, most notably require businesses to notify the state Attorney General no later than the time when notice of a security breach is provided to state residents. Although the law does not specify when notice must be provided to affected individuals, the law states that such notice must be made “without unreasonable delay,” subject to law enforcement delays and the completion of an investigation by the business to determine the nature and scope of the incident, to identify affected individuals, or to restore the reasonable integrity of the data system. As we previously reported, Vermont also recently amended its breach notification statute to require businesses to notify the state Attorney General within 14 days of discovering a security breach or concurrently when notifying consumers, whichever is sooner.

On June 26, 2012, the Federal Trade Commission announced that it had filed suit against Wyndham Worldwide Corporation and three of its subsidiaries (“Wyndham”) alleging failures to maintain reasonable security that led to three separate data breaches involving hackers accessing sensitive consumer data. The FTC’s complaint claims that Wyndham violated the FTC Act by posting misleading representations on Wyndham websites regarding how the company safeguarded customer information, and by failing to provide reasonable security for personal information it collected ...

On May 24, 2012, Massachusetts Attorney General Martha Coakley announced that South Shore Hospital agreed to a consent judgment and $750,000 payment to settle a lawsuit stemming from a data breach that occurred in February 2010. At that time, South Shore Hospital shipped several boxes of unencrypted back-up tapes to a service provider in Texas to erase them. The tapes contained the personal and protected health information of approximately 800,000 individuals, including names, Social Security numbers, financial account numbers and medical diagnoses. Several of the boxes went missing and have yet to be recovered, though there is no evidence that the information on the missing tapes has been misused.

On June 1, 2012, the Attorney General of Vermont announced a series of recent legislative moves to enhance the state’s consumer protection laws, including amendments to Vermont’s security breach notification law. The changes, which were signed into law by Governor Peter Shumlin in early May, include a revised definition of “security breach,” the addition of a 45-day timing requirement for notifying affected consumers, and a requirement to notify the state Attorney General within 14 days of discovering the breach (or when notifying consumers, if sooner).

Following a meeting in Sopot, Poland, on April 24, 2012, the International Working Group on Data Protection in Telecommunications (the “Working Group”), led by the Berlin Commissioner for Data Protection and Freedom of Information, issued a Working Paper that focuses on privacy and data protection issues related to the use of cloud computing in the international context. The Working Paper aims to reduce uncertainty regarding the definition of cloud computing and how the technology intersects with privacy, data protection and other legal issues.

On April 19, 2012, the French Data Protection Authority (the “CNIL”) issued a press release detailing its enforcement agenda for 2012. In a report adopted March 29, 2012, the CNIL announced that it will conduct 450 on-site inspections this year, with particular focus on the specific themes described below. The CNIL also indicated that it will continue the work started in 2011 with at least 150 additional inspections related to video surveillance, especially with respect to surveillance in locations that are frequented by large numbers of individuals.

On March 23, 2012, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the European Commission’s data protection law reform proposals, including the draft Regulation that is of particular importance for businesses. The Working Party’s Opinion serves as the national data protection authorities’ contribution to the legislative process before the European Parliament and the European Council.

On March 27, 2012, the Federal Trade Commission announced a proposed settlement order with RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites. The FTC alleged that RockYou failed to protect the personal information of 32 million of its users, and violated multiple provisions of the FTC’s Children’s Online Privacy Protection Act (“COPPA”) Rule when it collected information from approximately 179,000 children.

On March 21, 2012, Massachusetts Attorney General Martha Coakley announced that Maloney Properties Inc. (“MPI”), a property management firm, executed an Assurance of Discontinuance and agreed to pay $15,000 in civil penalties following an October 2011 theft of an unencrypted company-issued laptop. The laptop contained personal information of more than 600 Massachusetts residents and was left in an employee’s car overnight. MPI has indicated that it has no evidence of unauthorized access to or use of the personal information in connection with this breach.

On March 20, 2012, the Senate of the Philippines unanimously approved the omnibus Data Privacy Act of 2011, also known as “An Act Protecting Individual Personal Information in Information and Communications Systems in the Government and the Private Sector, Creating for This Purpose a National Data Protection Commission, and for Other Purposes” (S.B. 2965). Once signed into law, the legislation will impose a privacy regime modeled on the EU Data Protection Directive. It features significant notice, consent and data breach notification requirements, and it imposes direct ...

Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 7-9, 2012. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

• Mending Fences after a Breach Thursday, March 8, 12:15 p.m. Speakers include: Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice, Hunton & Williams LLP; Susan Grant, Director of Consumer Protection, Consumer Federation of America; and Joanne B. McNabb, Chief, California Office of Privacy Protection.

Monetary penalties are one mechanism in a suite of tools that the UK Information Commissioner’s Office (“ICO”) uses to encourage compliance with data protection regulations. The ICO generally uses monetary penalties to sanction deliberate or negligent breaches of the law, but the purpose is not to impose financial hardship but rather to “act as an encouragement towards compliance, or at least as a deterrent against non-compliance.” The following is a brief overview of the ICO’s authority to issue monetary penalties.

The Ministry of Industry and Information Technology of the People’s Republic of China (the “MIIT”) recently issued a regulation entitled “Several Provisions on Regulating Market Orders of Internet Information Services” (the “New Regulations”). The New Regulations, which will take effect on March 15, 2012, include significant new data protection requirements applicable to Internet information service providers (“IISPs”). Consistent with data protection regimes currently in place elsewhere in the world, IISPs will be required to provide much stronger protection for the personal data they collect from users in China, and will be subject to notice and consent requirements, collection limitations and use limitations.

In recent weeks, regulators in California and Illinois have issued guidance on responding to data security breaches, while UK and California authorities released online forms for organizations to use when providing notification of a breach to regulators.

In December 2011, the UK Information Commissioner’s Office (“ICO”) released a new breach notification form, reinforcing its expectation that organizations provide notification whether or not such notification is legally required. Sector-specific breach notification requirements were introduced in the UK by The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and since May 2011, public electronic communication service providers have been required to notify the ICO, and in some cases affected individuals, in the event of a data security breach. All other organizations are strongly encouraged to notify the ICO of serious security breaches, and the fact that an incident was reported voluntarily is something the ICO takes into consideration when determining the appropriate enforcement action.

Throughout 2011, the UK Information Commissioner’s Office (“ICO”) escalated its use of data protection audits, encouraging organizations to submit to voluntary audits and seeking to increase its ability to conduct compulsory audits. Currently, the ICO has the authority to compel central government departments to undergo audits, but it would like to extend compulsory audits to include local government, the national health service and the private sector.

On January 24, 2011, Connecticut Attorney General George Jepsen and Consumer Protection Commissioner William Rubenstein announced that they had reached an Assurance of Voluntary Compliance (“AVC”) with Metropolitan Life Insurance Co. (“MetLife”) in connection with an incident involving the disclosure of customer personal information on the Internet. In November 2009, a MetLife employee posted the personally identifiable information of current and former MetLife customers, including their Social Security numbers, on the Internet. Following the discovery of the posting, MetLife acted to mitigate possible harm by providing credit monitoring and identity theft insurance to the affected customers.

On January 19, 2012, Minnesota Attorney General Lori Swanson announced a lawsuit against Accretive Health, Inc., (“Accretive”) for violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its implementing regulations, the Minnesota Health Records Act, Minnesota’s debt collection statutes and Minnesota’s consumer protection laws. The suit, which was filed in Federal District Court in Minnesota, alleges that Accretive failed to adequately safeguard patients’ protected health information (“PHI”). This failure contributed to a July 2011 information security breach when an Accretive employee left an unencrypted laptop containing information of approximately 23,500 patients in a rental car. The laptop was stolen and has not yet been recovered.

On December 12, 2011, the United States Court of Appeals for the Third Circuit affirmed a decision that employees of Ceridian Corporation's (“Ceridian's") customers did not have standing to sue Ceridian after the payroll processing firm suffered a data breach.

On November 30, 2011, Tracy Kitten, Managing Editor of BankInfoSecurity, interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. Discussing how data breaches can be game changers for organizations that suffer major incidents, Sotto emphasized that companies need to consider both the legal compliance issues involved with data breaches and potential reputational risks. Sotto also addressed how attorneys can play a key role in helping companies through the process.

Read the interview transcript or listen to the ...

In early December 2011, drafts of two legal instruments prepared by DG Justice of the European Commission to reform the EU data protection framework entered interservice consultation. This process will give other Directorates-General of the Commission the opportunity to comment on the drafts before they are formally released as legislative proposals; accordingly, changes to the drafts are likely. Following this comment period, the drafts will enter the EU legislative process, which is likely to take at least two to three years before they become law. It is believed that Justice Commissioner and Commission Vice-President Viviane Reding will formally announce final versions of the drafts at an appearance at the World Economic Forum in late January 2012.

Lithuanian firm LAWIN Lideika, Petrauskas, Valiūnas ir partneriai reports that recent amendments to Lithuania’s Law on Legal Protection of Personal Data and the Law on Electronic Communications have established a breach notification requirement. Specifically, providers of publicly-available electronic communications services or of public communications networks must notify the data protection authority of data security breaches, and, when the breach is likely to have an adverse effect on the privacy of affected individuals, the data controller also may be required ...

On November 4, 2011, Law360 interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP. In a question and answer session, Sotto discussed the challenges of working with multinational companies on compliance with privacy laws, and addressed questions related to her practice and career. Read the full interview.

Members of Parliament on the House of Commons Justice Select Committee have called for courts in the United Kingdom to be given greater powers to imprison and fine individuals who breach the Data Protection Act (“DPA”). The Committee stated in its October 18, 2011 report that the current penalties for unlawfully obtaining personal data (under Section 55 of the DPA) are an inadequate deterrent, and urged the government to exercise its power to introduce prison sentences without delay. Although currently a magistrates’ court can issue fines of up to £5,000 for breaches of Section 55 (and the Crown Court can impose unlimited fines), in practice, penalties often are limited to only a few hundred pounds.

On October 24, 2011, Israel’s Data Protection Authority, the Israeli Law, Information and Technology Authority in the Israeli Ministry of Justice (“ILITA”), announced significant developments in an information theft case affecting more than nine million Israeli citizens. In 2006, a contract worker hired by Israel’s Ministry of Welfare and Social Services downloaded a copy of Israel’s population registry to his home computer. The registry later fell into the hands of a software developer and a hacker before being disseminated on the Internet along with a program that allowed users to run searches and queries on the data. The stolen personal information included full names, identification numbers, addresses, dates of birth, dates of immigration to Israel, family status, names of siblings and other information.

On October 20, 2011, Mexico’s Ministry of Economy made public an update to its proposed Regulations to the Federal Law for the Protection of Personal Data Held by Private Parties. The new draft regulations, which contain changes made in light of public comments on the prior version, will take effect if they receive final executive approval, which may happen later this year. The updates to the draft regulations include:

• Rules specific to cloud computing
• Clarification of notice requirements
• Clarification of consent requirements
• Exemptions for certain business contact ...

On September 22, 2011, the Senate Judiciary Committee approved three separate bills that would establish a national data breach notification standard.  Because the bills were approved on a party-line vote, and several other data breach bills currently are under consideration by other Senate committees, the prospects for these three bills in the full Senate are uncertain.

On September 19, 2011, Privacy Piracy host Mari Frank interviewed Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice at Hunton & Williams LLP, on KUCI 88.9 FM radio in Irvine, California.  In the interview, Ms. Sotto discussed critical current privacy and data security issues, including lessons learned from the recent data breaches, the regulatory framework in the U.S. and EU, and expected legislative changes in the privacy arena globally.

Listen to the Privacy Piracy interview.

On September 14, 2011, UK Information Commissioner Christopher Graham said that the private sector “isn’t as good as it thinks it is” when it comes to data protection compliance, and that many of the compliance problems that arise originate in the private sector.  While giving evidence to the House of Commons Justice Select Committee, the Commissioner criticized the private sector and, in particular, banks and other financial services companies.

On September 6, 2011, Lisa J. Sotto, partner and head of Hunton & Williams’ Privacy and Data Security practice, discussed why companies and individuals should be concerned about protecting their personal information in an interview with FoxNews.com.

View the video of Lisa’s interview with Kimberly Guilfoyle.

On August 31, 2011, California Governor Jerry Brown signed into law amendments to that state’s security breach notification statute.  The revisions establish new content requirements for breach notification letters to California residents, and mandate notification to the state Attorney General when a breach affects more than 500 Californians.  Senate Bill 24 was the third effort by State Senator Joe Simitian to build on the landmark California breach notification law he authored in 2002.  The two previous bills he proposed were passed by the California legislature, but vetoed by former Governor Arnold Schwarzenegger.

On August 24, 2011, France’s new law concerning electronic communications (Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques, or the “Ordinance”) came into force.  The Ordinance implements the provisions of the revised EU Directive 2002/58/EC (the “e-Privacy Directive”) with respect to the French Data Protection Act of 1978, the French Postal and Electronic Communications Code and the French Consumer Protection Code.  In particular, the Ordinance introduces new provisions under the French Data Protection Act, which impose an obligation on electronic communication service providers to provide notice in the event of a data security breach. 

Lush Cosmetics Ltd. (“Lush”) has avoided a monetary penalty for its breach of the UK Data Protection Act 1998.  Instead, the UK Information Commissioner’s Office (the “ICO”) has required Lush to sign an undertaking that obliges the company to “ensure that future customer credit card data will be processed in accordance with the Payment Card Industry Data Security Standard.”

On July 28, 2011, the International Association of Privacy Professionals (“IAPP”) hosted a webinar that addressed the upcoming audit program of the Department of Health and Human Services Office of Civil Rights (“OCR”).  Susan McAndrew, the Deputy Director for Health Information Privacy at OCR, provided an overview of the audit program, noting that it stemmed from Section 13411 of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  That section of the HITECH Act authorized the Secretary of the Health and Human Services to “provide for periodic audits to ensure that covered entities and business associates” comply with the requirements of the HIPAA Privacy and Security Rules.

On July 29, 2011, Massachusetts Attorney General Martha Coakley announced a $7,500 settlement with Belmont Savings Bank following a May 2011 data breach involving the names, Social Security numbers and account numbers of more than 13,000 Massachusetts residents.  The bank has stated that it has no evidence of unauthorized access to or use of consumers’ personal information in connection with this breach.

As reported in BNA’s Privacy Law Watch, on July 25, 2011, Russian President Dmitry Medvedev signed a new federal law amending Russia’s personal data privacy law, “On Personal Data.” The amended law, which was made public on July 27 and is effective retroactively from July 1, 2011, imposes new rules on international data transfers. As we previously reported, and as noted by the BNA, Russia had been considering improving its data protection regime and has enacted two other laws regarding the protection of personal data in the past several weeks.

A putative class action complaint filed on June 22, 2011, in the United States District Court for the Northern District of California alleges that the popular cloud-based storage provider Dropbox, Inc. failed to secure users’ private data or to notify the vast majority of them about a data breach.  According to the complaint, Dropbox announced in a blog post on its website that it had “introduced a bug” on June 19, 2011, which allowed users logged in to its system to log into other users’ accounts and access those users’ data stored on Dropbox.  The complaint further claims that Dropbox did not notify most, if not all, of its 25 million users that their information had been compromised.  The complaint defines the plaintiff class as all current or former Dropbox users as of June 19, 2011, whose accounts were breached.

In April 2011, a technical malfunction suffered by the Amazon Elastic Compute Cloud resulted in a multi-day outage affecting hundreds of businesses.  The incident offered high-profile evidence of both the widespread popularity of cloud computing and the potential consequences of storing company data in the cloud.  It also drew attention to cloud service contracts, raising questions about performance levels and backups in the event of a service disruption.  With more and more businesses seeking to take advantage of the efficiency and cost savings offered by cloud computing, the ...

On July 6, 2011, the UK Information Commissioner’s Office (the “ICO”) released its Annual Report and Financial Statements for 2010/11.  Characterizing information as “the currency of democracy,” the report highlights the wide range of the ICO’s activities during the last twelve months, which focused on education and the provision of good practice guidance in addition to enforcement activities.

On June 29, 2011, the Senate Committee on Commerce, Science and Transportation convened a hearing entitled “Privacy and Data Security: Protecting Consumers in the Online World.”  In opening remarks, Committee Chair Senator Jay Rockefeller (D-WV) highlighted that the hearing would consider both privacy and data security and discussed three bills focused on these issues.  

Speaking at the British Bankers’ Association’s Data Protection and Privacy Conference in London on June 20, 2011, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, signaled her intention to streamline data protection to “simplify the regulatory environment” and “substantially reduce the administrative burden” for businesses.  In return, Reding expects businesses to ensure “safe and transparent digital products and services.”

On June 13, 2011, Representative Mary Bono Mack (R-CA) released a discussion draft of the Secure and Fortify Data Act (the “SAFE Data Act”), which is designed to “protect consumers by requiring reasonable security policies and procedures to protect data containing personal information, and to provide for nationwide notice in the event of a security breach.”  Representative Bono Mack is Chairman of the House Subcommittee on Commerce, Manufacturing and Trade.  In a press release, Representative Bono Mack remarked that “E-commerce is a vital and growing part of our economy.  We should take steps to embrace and protect it – and that starts with robust cyber security.”  She added that “consumers have a right to know when their personal information has been compromised, and companies and other organizations have an overriding responsibility to promptly alert them.”

On June 8, 2011, the Department of Commerce’s Internet Policy Task Force released a report entitled “Cybersecurity, Innovation and the Internet Economy.”  The report contains four broad policy recommendations: (1) the creation of a nationally recognized approach to minimize vulnerabilities for the Internet and networking services industry, (2) the development of incentives to combat cybersecurity threats, (3) increased cybersecurity education and research, and (4) the promotion of international cooperation to enable sharing of cybersecurity best practices.

On June 7, 2011, Senator Patrick Leahy (D-VT) introduced the “Personal Data Privacy and Security Act of 2011” (the “Act”), co-sponsored by Senators Charles Schumer (D-NY) and Ben Cardin (D-MD).  This marks the fourth time Senator Leahy has introduced ambitious privacy legislation; in 2005, 2007 and 2009, similar bills failed to advance in the Senate.  In his press release, Senator Leahy stated that “many recent and troubling data breaches in the private sector and in our government are clear evidence that developing a comprehensive national strategy to protect data privacy and security is one of the most challenging and important issues facing our country.”

As reported by Kwang Hyun Ryoo and Ji Yeon Park of Bae, Kim & Lee LLC in Korea, on May 24, 2011, the government of South Korea published draft regulations to the Personal Information Protection Act (“PIPA”), the Republic’s new omnibus data protection law.

As we previously reported, PIPA was enacted on March 29, 2011, after past privacy legislation had languished in the Korean Parliament.  The recently published regulations (an Enforcement Decree and Enforcement Regulations) apply to any “handler of personal information” or “data handler,” which is any entity that uses personal information for business purposes.

The German Data Protection Authorities of Berlin and North Rhine-Westphalia have issued a paper containing Frequently Asked Questions about the German statutory data breach notification requirement that went into effect on September 1, 2009.  The paper provides detailed information on key questions concerning the procedure for notification as required by Section 42a of the German Federal Data Protection Act.

As we reported last week, on May 12, 2011, the Obama administration announced a comprehensive cybersecurity legislative proposal in a letter to Congress.  The proposal, which is the culmination of two years of work by an interagency team made up of representatives from multiple departments and agencies, aims to improve the nation’s cybersecurity and protect critical infrastructure.  If enacted, this legislation will affect many government and private-sector owners and operators of cyber systems, including all critical infrastructure, such as energy, financial systems, manufacturing, communications and transportation.  In addition, the proposal includes a wide-reaching data breach notification law that is intended generally to preempt the existing state breach laws in 46 states plus Washington, D.C., Puerto Rico and the U.S. Virgin Islands.

On May 12, 2011, the White House released the long-expected cybersecurity legislative proposal in response to the need to protect Americans from cyber threats.  The proposal is the culmination of several years of work following the White House’s release of the Cyberspace Policy Review in 2009 and includes the following sections:

On May 11, 2011, the UK Information Commissioner’s Office (the “ICO”) published a new statutory code of practice on the sharing of personal data.  As stated in the ICO’s press release, the code of practice covers best practices for both routine and one-off data sharing activities, and offers organizations tips for reducing the risk of inappropriate or insecure data sharing.  By helping organizations understand how to share data appropriately, the code of practice should facilitate compliance with the Data Protection Act and minimize the risk of enforcement actions by the ICO or other regulators.

On May 3, 2011, the Federal Trade Commission announced that it had reached settlements with Ceridian Corporation and Lookout Services, Inc. after alleging both companies had misrepresented the extent of their data security practices and subsequently failed to safeguard their customers’ information.  According to the FTC’s press release, the settlements “are part of the FTC’s ongoing efforts to ensure that companies secure the sensitive consumer information they maintain.”

On May 2, 2011, Sony Computer Entertainment America (“Sony”) disclosed that hackers had gained access to the personal information of 24.6 million customers who played games on the Sony Online Entertainment (“SOE”) network.  Sony stated that hackers may have accessed names, addresses and birth dates of SOE gaming customers, as well as credit card data of about 12,700 non-U.S. accounts and 10,700 bank account numbers from “an outdated database from 2007.”  Sony clarified that the SOE breach was not the result of a second attack, but rather occurred as part of the broad incursion against the company that affected 77 million PlayStation accounts, as the company previously disclosed on April 26.

On April 25, 2011, Legal Bisnow interviewed Marty Abrams, Executive Director of the Centre for Information Policy Leadership at Hunton & Williams LLP, and Hunton & Williams partner Lisa Sotto about hot topics in privacy and data protection.

Read Legal Bisnow’s article, “Hottest Practice Area?”.

On April 26, 2011, Sony Computer Entertainment America (“Sony”) disclosed an information security breach that may affect up to 77 million consumers.  On Sony’s PlayStation blog, Patrick Seybold, Senior Director of Corporate Communications and Social Media, wrote that an unauthorized person intruded into Sony’s PlayStation Network and Qriocity streaming music and video service between April 17 and April 19, 2011, and may have obtained users’ names, addresses, email address, birthdates, passwords and logins.  Mr. Seybold wrote that “out of an abundance of caution” Sony was advising its users that their credit card information also may have been obtained.  The blog post also noted that Sony is taking steps to address the breach, which include (1) turning off PlayStation Network and Qriocity services, (2) engaging an external security firm to investigate the incident, and (3) enhancing information security and strengthening its network infrastructure.  Sony further advised users to “review your account statements and to monitor your credit reports,” and provided the contact information for the three major credit bureaus in the United States.

On April 11, 2011, the United States District Court for the Northern District of California declined to dismiss four of the nine claims in a class action lawsuit filed against RockYou, Inc. (“RockYou”), a publisher and developer of applications used on popular social media sites.  The suit stems from a December 2009 security breach caused by an SQL injection flaw that resulted in the exposure of unencrypted user names and passwords of approximately 32 million RockYou users.  RockYou subsequently fixed the error and acknowledged in a public statement that “one or more individuals had illegally breached its databases” and that “at the time of the breach, the hacked database had not been up to date with industry standard security protocols.”  After receiving notification of the security breach from RockYou in mid-December, on December 28, 2009, a RockYou user who had signed up for a photo-sharing application filed a complaint seeking injunctive relief and damages for himself and on behalf of all other similarly-situated individuals.

On April 5, 2011, Lisa Sotto, partner and head of the Privacy and Data Security practice at Hunton & Williams LLP, discussed the Epsilon email breach in an interview with Tracy Kitten of Information Security Media Group.  The interview covered issues such as data protection requirements for sensitive consumer data, steps companies should take to protect data and lessons to be learned from the breach.  Download the podcast now.

On April 5, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the current EU personal data breach framework and recommendations for future policy developments (the “Opinion”).

In 2009, the revised e-Privacy Directive 2002/58/EC (the “e-Privacy Directive”) introduced a mandatory data breach notification regime for the telecommunications sector.  Pursuant to the e-Privacy Directive, telecommunications and internet service providers are required to report certain data breaches to their national regulator and to affected individuals.

On April 7, 2011, the Securities and Exchange Commission announced a settlement involving three former brokerage firm executives charged with “failing to protect confidential information about their customers.”  According to the announcement, “this is the first time that the SEC has assessed financial penalties against individuals charged solely with violations of Regulation S-P.”  Regulation S-P mandates that financial firms safeguard their customers’ confidential information and prevent its release to unaffiliated third parties without authorization.

On April 1, 2011, Epsilon Data Management, LLC (“Epsilon”), a leading marketing services provider based in Irving, Texas, issued a press release announcing that its clients’ customer data had been “exposed by an unauthorized entry into Epsilon’s email system” that took place on March 30, 2011.  In the press release, Epsilon indicated that the information acquired as a result of the incident was limited to email addresses and customer names.  Several major retailers, credit card issuers, financial institutions and other companies that use Epsilon as a service provider ...

As reported in BNA’s Privacy Law Watch, on March 29, 2011, South Korea’s president approved the Act on the Protection of Personal Data.  This comprehensive privacy law will require nearly all businesses and government agencies to provide data breach protection, mandate the use of privacy assessments before establishing certain new databases, and establish a right to file class actions in court over alleged violations of the law.  The implementing rules will be worked out before the law is due to take effect on September 30, 2011.  South Korea first attempted to enact a comprehensive privacy law in 2004; however, for the past seven years, omnibus privacy bills sponsored by the government and lawmakers have stalled in Parliament.

A new French law containing several key amendments to the French Data Protection Act and creating a new public authority referred to as the “Defender of Rights” (Loi n°2011-334 du 29 mars 2011 relative au Défenseur des droits, or the “Law”) came into effect on March 30, 2011.  The Defender of Rights, whose role is to defend civil rights and liberties, to promote children’s rights and to fight against discrimination, also will serve as a member of the CNIL’s plenary committee.

On March 28, 2011, the Briar Group, LLC, owner and operator of several Boston-area bars and restaurants, reached a settlement with Massachusetts Attorney General Martha Coakley regarding the breach of “tens of thousands” of consumers’ payment card information.  The settlement resolves a lawsuit filed in Massachusetts Superior Court alleging that in April 2009 hackers gained access to the Briar Group’s computer systems and misappropriated customer data by installing malcode which was not removed by the company until December of that year.  The complaint further alleged that the Briar Group’s lax data protection practices, such as allowing employees to share computer passwords and failing to secure network wireless connections, put customers’ personal information at risk.

On March 2, 2011, the German Federal government adopted a draft law revising certain sector-specific data protection provisions in the German Telecommunications Act.  The draft law addresses the implementation of data breach notification requirements in the European e-Privacy Directive by introducing a breach notification obligation for telecommunications companies.

The Government of India’s Ministry of Communications & Information Technology has published three draft rules that would implement the Information Technology Act, 2000. These include: Reasonable Security Practices and Procedures and Sensitive Personal Information; Due Diligence Observed by Intermediaries Guidelines and Guidelines for Cyber Cafe. The first two of these rules could affect international companies that provide digital services or process data in India. The comment period on the rules ends February 28, 2011.

On February 18, 2011, the European Network and Information Security Agency (“ENISA”), an advisory body created to enhance information security in the EU, announced the issuance of its report on cookies, entitled “Bittersweet cookies.  Some security and privacy considerations.”

In the past two months, lawmakers in three states have introduced legislation that would expand the scope of certain security breach notification requirements.

Virginia SB 1041

On January 11, 2011, Virginia lawmakers introduced SB 1041, which would amend the state’s health breach notification statute to impose notification requirements on businesses, individuals and other private entities, in the event unencrypted or unredacted computerized medical information they own or license is reasonably believed to have been accessed and acquired by an unauthorized person.  The law currently applies only to organizations, corporations and agencies supported by public funds.  In addition to broadening the scope of the law’s applicability, the amendment would permit the Virginia Attorney General to impose a civil penalty of up to $150,000 per breach (or series of similar breaches that are discovered pursuant to a single investigation), without limiting the ability of individuals to recover direct economic damages for violations.

Update: On February 11, 2011, BNA's Privacy Law Watch reported that SB 1041 had failed and would not be carried over to the next legislative session.

On January 24, 2011, the data protection authority of the German state of Rhineland-Palatinate issued a press release regarding significant breaches of data protection law by companies that maintain websites and create user profiles.

On January 14, 2011, the European Network and Information Security Agency (“ENISA”), which was created to enhance information security within the European Union, published a report entitled “Data breach notifications in the EU” (the “Report”).

Currently, there is wide debate throughout the EU regarding data breach notification requirements.  The debate stems from recent high-profile data breach incidents and the introduction of mandatory data breach notification requirements for telecommunication service providers imposed by EU Directive 2009/136/EC (amending EU Directive 2002/58/EC, the “e-Privacy Directive”), which must be integrated into EU Member States’ national laws by May 25, 2011.  The goal of the Report is to assist Member States, regulatory authorities and private organizations with their implementation of data breach notification policies.

In the first use of his powers to impose monetary penalties, the UK Information Commissioner has announced fines for two organizations with respect to serious breaches of the UK Data Protection Act.

• Hertfordshire County Council must pay a fine of £100,000 after staff accidentally faxed highly sensitive information to the wrong recipients, on two separate occasions.
• A4e Limited, an employment services company, must pay £60,000 following the theft of an unencrypted laptop from an employee’s home, putting the data of 24,000 people at risk.

On November 10, 2010, the American Bar Association’s Section of Antitrust Law’s International Committee and Corporate Counseling Committee hosted a webinar on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference?”.  A panel of senior officials and private sector experts provided insights on emerging cross-border data privacy and security issues.  Hunton & Williams partner Lisa Sotto was tapped to moderate an outstanding panel which included Billy Hawkes, Commissioner, Office of the Data Protection Commissioner ...

In a move toward implementation of the EU e-Privacy Directive, on November 3, 2010, the Dutch Minister of Economic Affairs submitted a bill to the Dutch Parliament that would amend the Dutch Telecommunications Act to obligate telecom and internet service providers to provide notification of data security breaches, and require consent for the use of cookies (the “Bill”).

The proposed Bill would require telecom and internet service providers to notify the Dutch Telecom Authority (the “OPTA”) without delay in the event of a security breach involving personal data.  They also would be required to notify affected individuals without delay if the breach is likely to have an adverse effect on the protection of their personal data.  The Bill does not affect initiatives to introduce a broader data breach notification regime applicable to other industries outside the telecom sector.  The Dutch Minister of Justice recently stated that he expects to issue a proposal to implement a more general data breach notification law in 2011.

On November 8, 2010, Connecticut Insurance Commissioner Thomas Sullivan announced that Health Net of Connecticut, Inc. (“Health Net”) had agreed to pay $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.  The penalties were part of a settlement agreement reached with Health Net pursuant to which Health Net agreed to provide credit monitoring protection for two years to all affected members and providers in Connecticut.  Health Net also agreed that the costs related to improvements in data and equipment security it made in response to the data breach will not be passed along to Health Net members.

On November 4, 2010, the European Commission (the “Commission”) released a draft version of its Communication proposing “a comprehensive approach on personal data protection in the European Union” (the “Communication”) with a view to modernizing the EU legal system for the protection of personal data.  The Communication is the result of the Commission’s review of the current legal framework (i.e., Directive 95/46/EC), which started with a high-level conference in Brussels in May 2009, followed by a public consultation and additional targeted stakeholders’ consultations throughout 2010.  Although the Commission considers the core principles of the Directive to still be valid, the Communication equally acknowledges that the existing legal framework for data protection in the European Union is no longer able to meet the challenges of rapid technological developments and globalization.

The UK Information Commissioner’s Office (“ICO”) has announced the outcome of its investigation into the collection of payload data by Google Street View cars in the UK.  The ICO has concluded that there was a “significant breach” of the UK Data Protection Act in that “the collection of this information was not fair or lawful and constitutes a significant breach of the first principle [of the Act].”

While the ICO has the power to impose monetary penalties for serious breaches of the Act, capped at £500,000 per breach, in this case the ICO has determined that the appropriate course is to secure an undertaking from Google, requiring it to implement additional data protection safeguards.

Indiana Attorney General Greg Zoeller announced on October 29, 2010, that he has sued health insurer WellPoint, Inc. for alleged failure to provide timely notification of a data breach.  Indiana’s breach notification statute requires a business that has experienced a data breach to notify affected individuals and the state attorney general “without unreasonable delay.”  The state alleges that WellPoint was notified of the security breach on February 22, 2010, and again on March 8, 2010, but did not begin notifying customers of the breach until June 18, 2010.  A delay is considered reasonable if it is “(1) necessary to restore the integrity of the computer system; (2) necessary to discover the scope of the breach; or (3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will:  (A) impede a criminal or civil investigation; or (B) jeopardize national security.”  Ind. Code. § 24-4.9-3-3(a).  WellPoint has not yet filed an answer to the complaint.

On behalf of a group of interested parties (the “Group”), Hunton & Williams and Acxiom submitted a response to the UK Ministry of Justice’s (“MoJ”) recent Call for Evidence on the effectiveness of current data protection legislation in the UK.  The Group is comprised of representatives from more than 40 organizations, including Barclays Bank, Dell, Fujitsu and GE Capital, all of which are committed to using personal data responsibly.  Hunton & Williams and Acxiom, a global leader in interactive marketing services, with the attendance of the Group, worked together over the last two months to host two discussion meetings, and produced a submission summarizing the Group’s views.

On August 25, 2010, the German government approved a draft law concerning special rules for employee data protection, originally proposed by the Federal Ministry of the Interior.  A background paper on the draft law was published on August 25, 2010.  The draft law would amend the German Federal Data Protection Act (the Bundesdatenschutzgesetz or “BDSG”) by adding provisions that specifically address data protection in the employment context.  Currently, employee data protection is regulated by (1) general provisions in the BDSG, (2) the new Section 32 of the BDSG introduced by the most recent reform in September 2009, (3) the Works Constitution Act, (4) guidance from state data protection authorities, and (5) comprehensive case law from federal and local labor courts.

The UK Information Commissioner’s Office (the “ICO”) has indicated that UK law firm ACS:Law could face a maximum penalty of £500,000 following a major data breach.

Personal information, including names and addresses, of over 8,000 Sky broadband subscribers and 400 PlusNet users was made publicly available following an apparent attack on ACS:Law’s website.  The broadband customers involved are suspected by ACS:Law’s clients of illegally file-sharing copyright work, including music and, in some instances, pornographic films.

On August 18, 2010, the Connecticut Insurance Department (the “Department”) issued Bulletin IC-25, which requires entities subject to its jurisdiction to notify the Department in writing of any “information security incident” within five calendar days after an incident is identified.  In addition to providing detailed procedures and information to be included in the notification, the Bulletin states that the Department “will want to review, in draft form, any communications proposed to be made” to affected individuals.  The Bulletin further indicates that, “depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time.”

The UK Ministry of Justice has issued a Call for Evidence on the effectiveness of current data protection legislation in the UK.  Responses must be submitted by October 6, 2010.  “It will give the [UK] Government a solid evidence base to use in negotiations with other European Union parties.  I believe we have everything to gain from a sensible, proportionate and rights-based data protection framework, and one that works for you as businesses, service-providers and citizens,” said Minister of State for Justice, Lord McNally.

On July 8, 2010, the Department of Health and Human Services ("HHS") issued a notice of proposed rulemaking to modify the Privacy, Security and Enforcement Rules promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996.  The modifications implement changes made by the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act) enacted in 2009.

On May 25, 2010, two privacy-related bills were introduced in the Parliament of Canada: the Fighting Internet and Wireless Spam Act (“FISA” or Bill C-28) and the Safeguarding Canadians’ Personal Information Act (Bill C-29) amending the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Bill C-29 is the long-awaited government response to the five-year mandatory review of PIPEDA.  The centerpiece of the bill is a new disclosure provision for security breaches related to personal information.  Key elements in the security breach notification proposal include:

• Any “material breach of security safeguards involving personal information” would have to be reported to the Privacy Commissioner of Canada.
• A determination of whether the breach is “material” would be made by the entity, based on the sensitivity of the information, the number of individuals affected and whether there is a systemic problem.
• Notification would have to be made “as soon as feasible” individuals affected by the breach “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.”
• A determination of whether there is a “real risk” would be made by the entity, based on the sensitivity of the information and the probability that the personal information has been, is being or will be misused.

On May 28, 2010, the UK Information Commissioner’s Office issued a press release stating that it has been notified of more than 1,000 data security breaches since it began keeping records in late 2007.  There is no mandatory reporting requirement in the UK, so the actual number of breaches is likely to be significantly higher.  The ICO’s press release notes that the majority of breaches occur as a result of human or technical errors, such as employees improperly disclosing data to third parties or automated machines sending out letters to the wrong addresses.

Federal Trade Commission Chairman Jon Leibowitz recently sent a letter to Congressman Edward Markey, Co-Chairman of the bipartisan Congressional Privacy Caucus, announcing that the FTC will address the privacy risks associated with the use of digital copiers.  Congressman Markey had urged the FTC to investigate this issue after a CBS News exposé showed that almost every digital copier produced since 2002 stores on its hard drive images of documents that are “scanned, copied or emailed by the machine” – including documents with sensitive personal information.

The Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”) has announced that it will more closely examine covered entities’ breach notification and risk mitigation plans.  OCR noted that small and medium sized covered entities have been particularly vulnerable to data breaches.  The National Institute of Standards and Technology (“NIST”) will publish a guide for covered entities that “outlines the steps to mitigate risks for data breaches, training for how to respond to breaches, and overall preparation in the event of a ...

David Holtzman, a health information privacy specialist at the Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), stated at a health privacy conference on May 11, 2010, that OCR has been “vigorously” enforcing the Security Rule, which was promulgated pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”).  Prior to 2009, HHS divided civil enforcement responsibility for HIPAA between OCR, which enforced the HIPAA Privacy Rule, and the Centers for Medicare and Medicaid Services (“CMS”), which enforced the HIPAA Security Rule.  In July 2009, the Secretary of HHS delegated authority to enforce the HIPAA Security Rule to OCR to “facilitate improvements by eliminating duplication and increasing efficiency.”

On April 12, 2010, the Financial Industry Regulatory Authority (“FINRA”) announced that it had fined D.A. Davidson & Co. $375,000 for failing to protect its customers’ confidential information.  In late 2007, the firm’s system was compromised when hackers employed a SQL injection attack to download the confidential customer information of approximately 192,000 individuals.  The security breach came to light when one of the persons responsible for the intrusion attempted to blackmail D.A. Davidson via email on January 16, 2008.  The firm responded quickly by notifying ...

On April 7, 2010, Mississippi became the 46th state to enact a data security breach notification law.  The law, which will take effect July 1, 2011, applies to the unauthorized acquisition of unencrypted electronic files, media, databases or computerized data containing personal information of any Mississippi resident.  The law contains a harm threshold specifying that notification is not required if it can be reasonably determined that the breach will not likely result in harm to affected individuals.  The enactment of this law leaves Alabama, Kentucky, New Mexico and South Dakota ...

The Attorney General of Connecticut, Richard Blumenthal, is investigating an alleged breach of medical records at Griffin Hospital in Derby, Connecticut.  The hospital believes that a formerly affiliated radiologist gained unauthorized access to its digital Picture Archiving and Communications System (“PACS”), which stores patient information, including names, exam descriptions and medical record numbers.  In February, the hospital began receiving inquiries from patients who had been contacted by the radiologist to promote professional services offered at another medical facility.  In response to patient inquiries, the hospital conducted an internal investigation that revealed several instances of unauthorized access to the PACS system.  The hospital subsequently notified Attorney General Blumenthal.

Under a Washington law effective July 1, 2010, certain entities involved in payment card transactions may be liable to financial institutions for costs associated with reissuing payment cards after security breaches.  Designed to encourage the reissuance of payment cards as a means of mitigating harm caused by security breaches, Washington H.B. 1149 applies to three types of entities:  businesses, processors and vendors.  Under the law, a business is an entity that “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to . . . residents of Washington.” A processor is any entity, other than a business, that “directly processes or transmits [payment card] account information for or on behalf of another person as part of a payment processing service.” A vendor is any “entity that manufactures and sells software or equipment that is designed to process, transmit, or store [payment card] account information or that maintains account information that it does not own.”

In 2009, for the first time in three years, more publicly reported data security breaches were caused by hackers than by other sources, such as insider theft.  The nonprofit Identity Theft Resource Center (“ITRC”) tracks breaches involving five categories of data loss: (i) “data on the move,” such as lost laptops; (ii) accidental exposure; (iii) insider theft; (iv) losses involving subcontractors; and (v) hacking.  The ITRC’s 2009 Breach Report analyzed 498 publicly reported breaches affecting over 222 million total records, concluding that hacking may be on the rise.

On March 9, 2010, the Federal Trade Commission announced that LifeLock, Inc., has agreed to pay $12 million to settle charges of deceptive advertising related to its identity theft protection services.  The FTC and the attorneys general of 35 states obtained the coordinated settlement pursuant to charges that LifeLock made false representations regarding the effectiveness of the protection its services offer consumers.  The FTC alleged that, contrary to assertions made in LifeLock’s advertisements, its products provide no protection from the most common form of identity ...