Privacy & Information Security Law Blog

As reported in the Hunton Employment & Labor Perspectives Blog:

In Purple Communications, Inc., a divided National Labor Relations Board (“NLRB”) held that employees have the right to use their employers’ email systems for statutorily protected communications, including self-organization and other terms and conditions of employment, during non-working time. In making this determination, the NLRB reversed its divided 2007 decision in Register Guard, which held that employees have no statutory right to use their employer’s email systems for Section 7 purposes.

Former UK Information Commissioner and Centre for Information Policy Leadership (the “Centre”) Global Strategy Advisor Richard Thomas was invited to make a presentation at a roundtable on Privacy Risk Management and Next Steps at the Organization for Economic Cooperation and Development’s (“OECD’s”) 37th meeting of the Working Party on Security and Privacy in the Digital Economy (“Working Party”). The meeting was attended by governmental and regulatory officials from most OECD member countries, with various other participants and observers.

In an article entitled The Rise of Accountability from Policy to Practice and Into the Cloud published by the International Association of Privacy Professinals, Bojana Bellamy, President of the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”), outlines the rapid global uptake of “accountability” as a cornerstone of effective data protection and points to the recent ISO 27018 data privacy cloud standard as one of the latest examples.

On December 11, 2014, in response to a request for a preliminary ruling from the Supreme Administrative Court of the Czech Republic, the Court of Justice of the European Union (“CJEU”) ruled that the use of CCTV in the EU should be strictly limited, and that the exemption for “personal or household activity” does not permit the use of a home CCTV camera that also films any public space.

The Department of Health and Human Services (“HHS”) recently announced a resolution agreement and $150,000 settlement with Anchorage Community Mental Health Services, Inc. (“ACHMS”) in connection with a data breach caused by malware. ACHMS, which provides nonprofit behavioral health care services in Alaska, experienced a breach in March 2012 that affected the electronic protected health information (“ePHI”) of 2,743 individuals. After ACHMS reported the breach to the HHS Office for Civil Rights (“OCR”), OCR investigated ACHMS and found several HIPAA Security Rule violations, including that ACHMS had failed to:

In a flurry of activity on cybersecurity in the waning days of the 113th Congress, Congress unexpectedly approved, largely without debate and by voice vote, four cybersecurity bills that: (1) clarify the role of the Department of Homeland Security (“DHS”) in private-sector information sharing, (2) codify the National Institute of Standards and Technology’s (“NIST”) cybersecurity framework, (3) reform oversight of federal information systems, and (4) enhance the cybersecurity workforce. The President is expected to sign all four bills. The approved legislation is somewhat limited as it largely codifies agency activity already underway. With many observers expecting little legislative activity on cybersecurity before the end of the year, however, that Congress has passed and sent major cybersecurity legislation to the White House for the first time in 12 years may signal Congress’ intent to address systems protection issues more thoroughly in the next Congress.

On December 9, 2014, a coalition of 23 global privacy authorities sent a letter to the operators of mobile application (“app”) marketplaces urging them to require privacy policies for all apps that collect personal information. Although the letter was addressed to seven specific app marketplaces, the letter notes that it is intended to apply to all companies that operate app marketplaces.

On December 10, 2014, the New York State Department of Financial Services (the “Department”) announced that it issued an industry guidance letter to all Department-regulated banking institutions that formally introduces the Department’s new cybersecurity preparedness assessment process. The letter announces the Department’s plans to expand its information technology examination procedures to increase focus on cybersecurity, which will become a regular, ongoing part of the Department’s bank examination process.

On December 8, 2014, the Article 29 Working Party (the “ Working Party”) and the French Data Protection Authority (the “CNIL”) organized the European Data Governance Forum, an international conference centered around the theme of privacy, innovation and surveillance in Europe. The conference concluded with the presentation of a Joint Statement adopted by the Working Party during its plenary meeting on November 25, 2014.

On December 5, 2014, the Article 29 Working Party (the “Working Party”) published a Working Document on surveillance, electronic communications and national security. The Working Party (which is comprised of the national data protection authorities (“DPAs”) of each of the 28 EU Member States) regularly publishes guidance on the application and interpretation of EU data protection law. Although its views are not legally binding, they are strongly indicative of the way in which EU data protection law is likely to be enforced.