Privacy & Information Security Law Blog

On March 17, 2017, the Federal Trade Commission announced that Upromise, Inc., (“Upromise”) agreed to pay $500,000 to settle allegations (the “Settlement”) that it violated the terms of a 2012 consent order (the “2012 Order”) that required Upromise to provide notice to consumers regarding its data collection and use practices, and obtain third-party audits.

On March 17, 2017, retailer Neiman Marcus agreed to pay $1.6 million as part of a proposed settlement (the “Settlement”) to a consumer class action lawsuit stemming from a 2013 data breach that allegedly compromised the credit card data of approximately 350,000 customers.

On March 15, 2017, the French data protection authority (the “CNIL”) published a six step methodology and tools for businesses to prepare for the EU General Data Protection Regulation (“GDPR”) that will become applicable on May 25, 2018.

On March 2, 2017, the UK Information Commissioner’s Office (“ICO”) published draft guidance regarding the consent requirements of the EU General Data Protection Regulation (“GDPR”). The guidance sets forth how the ICO interprets the GDPR’s consent requirements, and its recommended approach to compliance and good practice. The ICO guidance precedes the Article 29 Working Party’s guidance on consent, which is expected in 2017.

On March 9, 2017, AllClear ID hosted a webinar with Hunton & Williams partner and chair of the Global Privacy and Cybersecurity practice Lisa J. Sotto on the new cybersecurity regulations from the New York State Department of Financial Services (“NYDFS”). The NYDFS regulations impose significant cybersecurity requirements on impacted businesses that will dictate how they plan for, respond to and recover from data security events.

On March 21, 2017, Hunton & Williams is pleased to host an in-person seminar in its London office featuring seasoned cybersecurity practitioners. Drawing from deep experience in their respective fields, the panel members will discuss the implications of the EU General Data Protection Regulation’s breach notification obligations in the context of a state-of-the-art cyber attack simulation. In doing so, the panelists will share best practices to help protect organizations in the event of a cyber attack.

On March 3, 2017, the FTC announced the results of a study about online businesses’ use of proper email authentication technology to prevent phishing attacks. The study’s sample included 569 large online businesses with strong ties to the U.S. The FTC found that 86 percent of those businesses use Sender Policy Framework—an email authentication technology that enables Internet Service Providers (“ISPs”) to determine whether an email is from a legitimate source (e.g., whether an email that claims to be from a business’s domain in fact came from the business).

Hunton & Williams LLP, in coordination with the U.S. Chamber of Commerce, recently issued a series of recommendations to enhance the effectiveness of data privacy regulators. The report, Seeking Solutions: Attributes of Effective Data Protection Authorities, identifies seven key attributes of data protection authorities (“DPAs”) that contribute to effective data protection governance. The report also explores how the level of effectiveness varies based on differences in the structure, roles and resources of a DPA.

On March 9, 2017,  Home Depot Inc. (“Home Depot”) reached an agreement that includes the payment of $25 million and the implementation of new data security measures to resolve a putative class action brought by financial institutions impacted by the company’s 2014 data breach.

On March 1, 2017, Hunton & Williams senior consultant attorney Rosemary Jay presented evidence on the data protection reform package and the impact of Brexit to the UK Parliament’s House of Lords EU Home Affairs Sub-Committee meeting.