Privacy & Information Security Law Blog

On April 13, 2016, Nebraska Governor Pete Ricketts signed into law LB 835 (the “Bill”), which among other things, adds a regulator notification requirement and broadens the definition of “personal information” in the state’s data breach notification statute, Neb. Rev. Stat. §§ 87-802 to 87-804. The amendments take effect on July 20, 2016.

In its third simulated test of the security of the power grid, the North American Reliability Corporation (“NERC”) reported general progress across the electric utility industry in defending against physical and cyber threats, while also identifying several areas for further improvement.

The NERC exercise, dubbed GridEx III, took place over two days in November 2015 and involved more than 4,400 individuals from 364 industry, law enforcement and government organizations across the United States, Canada and Mexico. The main objectives of the exercise were to test crisis response and recovery, improve communication, identify problem areas and engage senior-level leadership in the organizations involved.

The Federal Trade Commission recently released an interactive tool for mobile health apps. The tool was developed in conjunction with several other federal agencies, including the Department of Health and Human Services’ Office for Civil Rights, the Office of the National Coordinator for Health Information Technology, and the Food and Drug Administration.

In a recent article published by SC Magazine, Lisa Sotto, head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice, provides commentary on the recent case, Apple v. FBI. The article analyzes privacy versus security, and Sotto tells SC Magazine, “[the case] should never have escalated to this, privacy should have been addressed” at the onset of the investigation. Sotto says the government should have “worked with tech companies to craft policies and processes” before an issue of this magnitude arose. The article provides details on the case and discusses ...

With the recent adoption of the EU General Data Protection Regulation (“GDPR”) and the significant changes it will require from organizations, AvePoint has joined forces with the Centre for Information Policy Leadership (“CIPL”), a global privacy policy think tank at Hunton & Williams LLP, to launch the first global survey to benchmark organizations’ readiness for the GDPR.

On April 12, 2016, the French Data Protection Authority (“CNIL”) announced that it will participate in a coordinated online audit to analyze the impact of everyday connected devices on privacy. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world.

On April 6, 2016, U.S. District Judge R. Gary Klausner approved a settlement in Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600 (RGK). As we previously reported, the litigation centered on a data breach involving the stolen personal information of at least 15,000 former and current employees. After a partial success on its motion to dismiss, Sony still faced potential liability for negligence based on its three-week delay in notifying its employees of the data breach, as well as statutory claims under the California Confidentiality of Medical Information Act and the Unfair Competition Law.

As reported on the Hunton Insurance Recovery Blog, data breach claims involving customer data can present an ever-increasing risk for companies across all industries. A recent case illustrates efforts to recover the costs associated with such claims. A panel of the Fourth Circuit confirmed that general liability policies can afford coverage for cyber-related liabilities, and ruled that an insurer had to pay attorneys’ fees to defend the policyholder in class action litigation in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944. Syed Ahmad, a partner in the Hunton & Williams LLP insurance practice, was quoted in a Law360 article concerning the importance of this decision.

On April 14, 2016, after four years of drafting and negotiations, the long awaited EU General Data Protection Regulation (“GDPR”) has been adopted at the EU level. Following the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs’ vote earlier this week and the EU Parliament in plenary session, the GDPR is now officially EU law and will directly apply in all EU countries, replacing EU and national data protection legislation.

On April 13, 2016, the Article 29 Working Party (the “Working Party”) published its Opinion on the EU-U.S. Privacy Shield (the “Privacy Shield”) draft adequacy decision. The Privacy Shield was created to replace the previous Safe Harbor framework invalidated by the Court of Justice of the European Union (“CJEU”) in the Schrems decision. The Working Party also published a Working Document on the justification for interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees).