Privacy & Information Security Law Blog

On March 28, 2018, Alabama became the final state in the U.S. to enact a data breach notification law. The Alabama Data Breach Notification Act of 2018 (S.B. 318) (“the Law”) goes into effect on June 1, 2018.

On March 26, 2018, the U.S. Department of Commerce posted an update on the actions it has taken between January 2017 and March 2018 to support the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”). The update details measures taken in support of commercial and national security issues relating to the Privacy Shield.

On March 26, 2018, the Centre for Information Policy Leadership at Hunton & Williams LLP and AvePoint released its second Global GDPR Readiness Report (the “Report”), detailing the results of a joint global survey launched in July 2017 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). The Report tracks the GDPR implementation efforts of over 235 multinational organizations, and builds on the findings of the first Global GDPR Readiness Report by providing insights on key changes in readiness levels from 2016 to 2017.

The U.S. Department of Justice (the “DOJ”) has unsealed an indictment accusing nine Iranian nationals of engaging in a “massive and brazen cyber assault” against at least 176 universities, 47 private companies and 7 government agencies and non-governmental organizations, including the Federal Energy Regulatory Commission (“FERC”). According to the DOJ, the nationals worked for Mabna Institute, an Iranian-based company, as “hackers for hire,” stealing login credentials and other sensitive information to sell within Iran and for the benefit of the Iranian government.

On March 20, 2018, the Financial Stability Board (“FSB”) delivered a note to finance ministers and central bank governors from the world’s top 20 economic powers, known as the G-20. The note provides a progress update on the FSB’s work to develop a common vocabulary of cyber terms. 

As reported in BNA Privacy Law Watch, on March 21, 2018, South Dakota enacted the state’s first data breach notification law. The law will take effect on July 1, 2018, and includes several key provisions:

On March 8, 2018, the Ninth Circuit Court of Appeals (“Ninth Circuit”) reversed a decision from the United States District Court for the District of Nevada. The trial court found that one subclass of plaintiffs in In re Zappos.Com, Inc. Customer Data Security Breach Litigation, had not sufficiently alleged injury in fact to establish Article III standing. The opinion focused on consumers who did not allege that any fraudulent charges had been made using their identities, despite hackers accessing their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information in a 2012 data breach. 

Hunton & Williams LLP is pleased to announce that Richard Thomas, Global Strategy Advisor to the Centre for Information Policy Leadership (“CIPL”), has been selected as Chair for the Bailiwick of Guernsey’s new data protection authority. Adding the appointment to his position at CIPL, Thomas will be formally appointed in May and will work with the Data Protection Commissioner and the States of Guernsey to support the island’s regulatory framework in conjunction with the introduction of its new data protection law. Thomas will work on a shadow basis until his formal appointment, and the role is expected to command between 10 and 15 days per year.

The Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP is pleased to announce that Nathalie Laneret will be joining CIPL as Director of Privacy Policy in May. She brings more than 20 years of experience in data protection policy both in-house and in private practice. She is admitted to the New York and Paris bars and has experience in both France and in the U.S. on data protection, IT and security matters, contracts, competition law, compliance issues and litigation.

On March 15, 2018, the Trump Administration took the unprecedented step of publicly blaming the Russian government for carrying out cyber attacks on American energy infrastructure. According to a joint Technical Alert issued by the Department of Homeland Security and the FBI, beginning at least as early as March 2016, Russian government cyber actors carried out a “multi-stage intrusion campaign” that sought to penetrate U.S. government entities and a wide range of U.S. critical infrastructure sectors, including “organizations in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors.”