Privacy & Information Security Law Blog

As reported by Bloomberg BNA, on January 13, 2014, Ukrainian Parliament Commissioner for Human Rights Valeriya Lutkovska (the “Ombudsman”) announced the adoption of new data protection regulations. The Ombudsman became the new data protection authority in Ukraine as of January 1, 2014, when amendments to abolish the previous data protection authority became effective. As we previously reported, Ukraine first passed personal data protection legislation in June 2010.

As reported in the Hunton Employment & Labor Perspectives Blog:

While much attention has been paid this year to the Equal Employment Opportunity Commission’s (“EEOC’s”) agenda and litigation over criminal background checks (the agency asserts such background checks have a disparate impact on minority groups), a parallel challenge kept pace in the form of private class action litigation under the Fair Credit Reporting Act (“FCRA”). 2013 saw a number of significant class action settlements against both employers and consumer reporting agencies (“CRAs”) for alleged violations of the FCRA in the use of criminal background checks:

On January 8, 2014, Senator Patrick Leahy (D-VT), Chair of the U.S. Senate Judiciary Committee, reintroduced the Personal Data Privacy and Security Act of 2014, comprehensive information security legislation that would establish a national standard for data breach notification and require businesses to safeguard customers’ sensitive personal information from cyber threats. The bill also would establish criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data when the incident causes economic damage to consumers.

On December 23, 2013, the Federal Trade Commission announced that it accepted a proposed mechanism, submitted by Imperium, LLC (“Imperium”), to obtain verifiable parental consent in accordance with the Children’s Online Privacy Protection Rule (the “COPPA Rule”) that came into effect July 1, 2013.

The EU-U.S. Safe Harbor Framework is an important cross-border data transfer mechanism that enables certified organizations to move personal data from the European Union to the United States in compliance with European data protection laws. Recently, however, the Safe Harbor’s future has been thrown into doubt. In an article published on October 30, 2013 by Practical Law, Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, partner Bridget Treacy and associate Naomi McBride, examine the Safe Harbor Framework and its future ...

On December 18, 2013, the UK Information Commissioner’s Office (“ICO”) published its proposed strategy for handling complaints, stating that, beginning in April 2014, it will focus its efforts on the investigation of serious and repeat violations of data protection laws. The ICO also intends to publish regular reports highlighting the number of complaints it receives about organizations and enforcement actions it has taken. The ICO is seeking comments on the proposed strategy, which is explained in a public consultation document, before January 31, 2014.

In December 2013, the UK Information Commissioner’s Office (“ICO”) issued non-binding guidance aimed at app developers (the “Guidance”). The Guidance applies to all types of mobile devices, including smart TVs and video game consoles.

On December 31, 2013, the Federal Trade Commission announced that Accretive Health, Inc. (“Accretive”) has agreed to settle charges that the company’s inadequate data security measures unfairly exposed sensitive consumer information to the risk of theft or misuse. Accretive experienced a breach in July 2011 that involved the protected health information of more than 23,000 patients.

On December 26, 2013, the Department of Health and Human Services (“HHS”) announced a resolution agreement and $150,000 settlement with Adult & Pediatric Dermatology, P.C. (“APDerm”), a private dermatology practice based in Massachusetts, following a security breach that affected approximately 2,200 individuals. In connection with the announcement, the HHS Office for Civil Rights (“OCR”) Director Leon Rodriguez stated that “[c]overed entities of all sizes need to give priority to securing electronic protected health information.”

On December 10, 2013, a German data protection working group on advertising and address trading published new guidelines on the collection, processing and use of personal data for advertising purposes (the “Guidelines”). The working group was established by the committee of German data protection authorities (“DPAs”) and is chaired by the Bavarian DPA. The first set of guidelines were published in November 2012.