Privacy & Information Security Law Blog

On September 26, 2013, the UK Information Commissioner’s Office (“ICO”) published new breach notification guidance (the “Guidance”), applicable to telecom operators, Internet service providers (“ISPs”) and other public electronic communications service (“ECS”) providers.

On September 23, 2013, California Governor Jerry Brown signed a bill that adds “Privacy Rights for California Minors in the Digital World” to the California Online Privacy Protection Act (“CalOPPA”). The new CalOPPA provisions prohibit online marketing or advertising certain products to anyone under age 18, and require website operators to honor requests made by minors who are registered users to remove content the minor posted on the site. In addition, operators must provide notice and instructions to minors explaining their rights regarding the removal of content they’ve posted.

Recent months have seen a significant increase in highly-publicized cyber attacks and cybersecurity incidents, including an August 2013 attack on The New York Times’ website that shut down the site twice in two weeks. Unsurprisingly, there also has been an upswing in the demand for, and underwriting of, cyber insurance. In a recent Law360 article, Takeaways from Recent Cyberattack on New York Times, Hunton & Williams Insurance Litigation & Counseling partner Lon Berk considers whether a hypothetical cyber insurance policy would have covered such a loss.

Today, September 23, 2013, marks the deadline for compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Omnibus Rule that was issued in January 2013. Covered entities, business associates and subcontractors that access, use or disclose protected health information (“PHI”) will need to take the following actions:

On September 6, 2013, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding traveled to Berlin where she commented on the status of the negotiations on the proposed EU General Data Protection Regulation (the “Proposed Regulation”). Commissioner Reding indicated that she was looking for Germany to become involved in the discussions about the Proposed Regulation at the highest level, and she argued in favor of stricter regulations given recent revelations about surveillance programs such as PRISM. Because the vote on the Proposed Regulation only requires a majority to pass, she also emphasized that it would not be necessary to obtain the agreement of all of the EU Member States (for example, the UK or Ireland).

Hunton & Williams LLP is pleased to announce that several privacy lawyers were named to the New York Metro Super Lawyers list for 2013. For the eighth consecutive year, Lisa J. Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was selected as a New York Super Lawyer. She also was featured in the latest edition of New York Super Lawyers Magazine in an article entitled “The Queen of Breach: Privacy Expert Lisa Sotto Goes Public.” In addition, partner Aaron P. Simpson was included as a Rising Star for the third year in a row, and associate ...

This week, the Department of Health and Human Services’ Office for Civil Rights (“OCR”), in conjunction with the Office of the National Coordinator for Health Information Technology, released model Notices of Privacy Practices. The notices, which have been developed for use by health care providers and health plans, come in different formats:

• an 8-page booklet;
• a 5-page layered notice that summarizes key details on the first page and includes the full content of the booklet on the remaining four pages;
• a 5-page condensed version of the 8-page booklet; and
• a 6-page text-only version of the booklet.

On September 19, 2013, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the first webcast in its new Hunton Global Privacy Update series. The program focused on the latest updates regarding the EU General Data Protection Regulation, recent Safe Harbor issues from both European and American perspectives, and cybersecurity developments on both sides of the Atlantic.

Hunton Global Privacy Update sessions are 30-minutes in length and are scheduled to take place every two months.

On September 9, 2013, the Organization for Economic Cooperation and Development (“OECD”) published its revised guidelines governing the protection of privacy and transborder flows of personal data (the “Revised Guidelines”), updating the OECD’s original guidelines from 1980 that became the first set of accepted international privacy principles.

On August 30, 2013, following the effort by the People’s Republic of China to establish a Consumer Rights Protection Bureau in 2012, the China Banking Regulatory Commission (the “CBRC”) issued a document entitled “Guidance for the Banking Sector on the Protection of the Rights of Consumers” (the “Guidance”). Among other things, the Guidance re-emphasizes the principle of protecting personal financial information. Banking institutions are required (1) to take effective measures to protect consumers’ personal financial information; (2) not to modify or illegally use consumers’ personal financial information; and (3) to prevent the disclosure of consumers’ personal financial information to any third party without the relevant consumers’ authorization or consent.